[openssl-users] Intermediate certificates

Serj rasjv at yandex.com
Tue Jan 27 20:42:51 UTC 2015

27.01.2015, 23:15, "Viktor Dukhovni" <openssl-users at dukhovni.org>:
> Indeed some websites are misconfigured.
> But www.verisign.com is not among them:
> This is not needed for properly configured servers, such as
> www.verisign.com.
Ok. Seems to be I don't set the last root for www.verisign.com in my trusted root certs and only that's why I got a error:
Verify return code: 20 (unable to get local issuer certificate)

> While providing additional "untrusted" (intermediate) certificates
> is possible, it is complex and the right solution is for the broken
> sites to fix their certificate chain configuration.

Ok. But is there any documentation how to set intermediate certificates for my SSL connections? Maybe I want to support these broken sites... 

> It is unfortunate that browsers "lend a helping hand" to such sites.
So, you want to say that browsers trust connections that don't provide intermediate certs during SSL handhake?
As I know most browsers have also intermediate certs in their stores as builtin objects and also as received during handshakes.
That's why any documentation how to set intermediate certificates for my SSL connections will be very needed.

Thank you for answers, Viktor, once again.
And I looking forward to your reply...

Best Regards,


More information about the openssl-users mailing list