[openssl-users] CA design question?

Walter H. Walter.H at mathemainzel.info
Sat Dec 5 21:37:43 UTC 2015


On 05.12.2015 20:20, Viktor Dukhovni wrote:
> On Sat, Dec 05, 2015 at 07:55:50PM +0100, Walter H. wrote:
>
>> my website has an official SSL certificate, which I renewed this year to
>> have a SHA-256 certificate;
>> when I test my site with SSLLabs.com, I'm shows two certificate paths:
>>
>> the first one:
>> my SSL cert (SHA-256) sent by server
>> the intermediate (SHA-256) sent by server (SHA1 Fingerprint:
>> 064969b7f4d6a74fd098be59d379fae429a906fb)
>> the self-signed (SHA-256) in trust store (SHA1 Fingerprint:
>> a3f1333fe242bfcfc5d14e8f394298406810d1a0)
> All this obfuscation is rather pointless (and annoying), please
> just post the certificates.
take these examples
https://www.ssllabs.com/ssltest/analyze.html?d=fibot.creditplus.de
https://www.ssllabs.com/ssltest/analyze.html?d=sixxs.net
they both have two certificate paths, especially the of sixxs.net would 
be interesting if someone can explain,
one path has 3 certs and the other path 4 certs ...

>> now my question how would it be possible to generate a SSL certificate that
>> can be used with two different certificate paths?
> There are two versions of one of the issuer certificates.
the certificate that issued the SSL cert. is the same in both samples above;
only the root CA cert is different, how would I generate such a situation?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4312 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151205/8a3545da/attachment-0001.bin>


More information about the openssl-users mailing list