[openssl-users] Certificate chain validation

Salz, Rich rsalz at akamai.com
Fri Apr 21 15:20:29 UTC 2017

No, you must have a chain up to a local trust anchor.

You can install the intermediate in your trust store.

Senior Architect, Akamai Technologies
Member, OpenSSL Dev Team
IM: richsalz at jabber.at Twitter: RichSalz

From: Lei Kong [mailto:leikong at msn.com]
Sent: Thursday, April 20, 2017 9:38 PM
To: openssl-users at openssl.org
Subject: [openssl-users] Certificate chain validation

When validating a certificate issued by an intermediate certificate authority, I noticed that I need to install both the root and the intermediate CA certificate locally (with update-ca-certificates on ubuntu 16.04). Verification fails if only root CA cert is installed (intermediate is not installed), is this expected behavior? Why do I need to install intermediate CA cert locally? Locally installed root CA cert is not enough to validate intermediate CA cert?

Is it possible to make chain validation work with only root CA cert installed locally?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170421/67376e34/attachment-0001.html>

More information about the openssl-users mailing list