[openssl-users] Why can not get certificate chain if certificate expire

Richard Moore richmoore44 at gmail.com
Thu Dec 18 15:03:38 UTC 2014


On 18 December 2014 at 02:08, Jerry OELoo <oyljerry at gmail.com> wrote:
>
> Hi Rich:
> But why browser Chrome can show all certificate path? How did it do?
> Thanks!
>
>
Browsers fix up mistakes like this in various ways - Firefox caches
intermediates and attempts to fix things by using them if the chain is
missing. IE tries fetching them from windows update (indeed it does this
for rarely used root certificates too), it is also possible to fetch the
intermediates by downloading them from the location indicated in the AIA
extension if present in the leaf certificate. I'm not quite sure which
mechanism (or combination of mechanisms) is being used in the current
version of Chrome but it's like a variant on one of these,

Cheers

Rich.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.opensslfoundation.net/pipermail/openssl-users/attachments/20141218/a0d9c398/attachment.html>


More information about the openssl-users mailing list