[openssl-users] Certificate chain validation

Jakob Bohm jb-openssl at wisemo.com
Fri Apr 21 12:09:12 UTC 2017

On 21/04/2017 03:37, Lei Kong wrote:
> When validating a certificate issued by an intermediate certificate 
> authority, I noticed that I need to install both the root and the 
> intermediate CA certificate locally (with update-ca-certificates on 
> ubuntu 16.04). Verification fails if only root CA cert is installed 
> (intermediate is not installed), is this expected behavior? Why do I 
> need to install intermediate CA cert locally? Locally installed root 
> CA cert is not enough to validate intermediate CA cert?
This is only necessary if the other end of the connection
(incorrectly) forgets to include the intermediate in the
certificate bundle sent with the data or protocol exchange.

> Is it possible to make chain validation work with only root CA cert 
> installed locally?
Yes, if the other end is not misconfigured and you pass the
received certificate bundle to the appropriate validation
related function as a list of untrusted additional certificates,
which the certificate verification code can search for needed
intermediate certificates.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list