[openssl-users] Certificate chain validation
Jakob Bohm
jb-openssl at wisemo.com
Fri Apr 21 12:09:12 UTC 2017
On 21/04/2017 03:37, Lei Kong wrote:
>
> When validating a certificate issued by an intermediate certificate
> authority, I noticed that I need to install both the root and the
> intermediate CA certificate locally (with update-ca-certificates on
> ubuntu 16.04). Verification fails if only root CA cert is installed
> (intermediate is not installed), is this expected behavior? Why do I
> need to install intermediate CA cert locally? Locally installed root
> CA cert is not enough to validate intermediate CA cert?
>
This is only necessary if the other end of the connection
(incorrectly) forgets to include the intermediate in the
certificate bundle sent with the data or protocol exchange.
> Is it possible to make chain validation work with only root CA cert
> installed locally?
>
Yes, if the other end is not misconfigured and you pass the
received certificate bundle to the appropriate validation
related function as a list of untrusted additional certificates,
which the certificate verification code can search for needed
intermediate certificates.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list