[openssl-users] (SPAM) Retrieving Root CA certificate using "openssl s_client -showcerts" command

Viktor Dukhovni openssl-users at dukhovni.org
Tue Nov 8 19:04:44 UTC 2016


> On Nov 8, 2016, at 4:26 AM, Erwann Abalea <Erwann.Abalea at docusign.com> wrote:
> 
> The root certificate is not expected to be sent by the server, as it already needs to be known and trusted by the client.
> However, you’re free to configure your server to send it, for debugging or informational purposes.

A root CA certificate MUST be sent when the server's DANE-TA(2)
TLSA record designates that root as a trust-anchor.

	https://tools.ietf.org/html/rfc7671#section-5.2

-- 
	Viktor.



More information about the openssl-users mailing list