[openssl-users] Certificate chain validation

Lei Kong leikong at msn.com
Fri Apr 21 21:15:28 UTC 2017

According to https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_add_extra_chain_cert.html, openssl will search the default locations for chain building:

“If no chain is specified, the library will try to complete the chain from the available CA certificates in the trusted CA storage, see SSL_CTX_load_verify_locations<https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_load_verify_locations.html>.”

From: Lei Kong<mailto:leikong at msn.com>
Sent: Friday, April 21, 2017 2:10 PM
To: openssl-users at openssl.org<mailto:openssl-users at openssl.org>
Subject: RE: [openssl-users] Certificate chain validation

Right on!
I think it is indeed an issue of partial chain on the loading side.

As a related question, on the loading side, do I need to provide the whole chain to SSL_CTX_use_certificate?
If intermediate CA certificate is installed into default locations like /ets/ssl/certs, and only end certificate is passed to SSL_CTX_use_certificate, will openssl search the default locations to build a complete chain before sending it to the remote side?


From: Jakob Bohm<mailto:jb-openssl at wisemo.com>
Sent: Friday, April 21, 2017 5:10 AM
To: openssl-users at openssl.org<mailto:openssl-users at openssl.org>
Subject: Re: [openssl-users] Certificate chain validation

On 21/04/2017 03:37, Lei Kong wrote:
> When validating a certificate issued by an intermediate certificate
> authority, I noticed that I need to install both the root and the
> intermediate CA certificate locally (with update-ca-certificates on
> ubuntu 16.04). Verification fails if only root CA cert is installed
> (intermediate is not installed), is this expected behavior? Why do I
> need to install intermediate CA cert locally? Locally installed root
> CA cert is not enough to validate intermediate CA cert?
This is only necessary if the other end of the connection
(incorrectly) forgets to include the intermediate in the
certificate bundle sent with the data or protocol exchange.

> Is it possible to make chain validation work with only root CA cert
> installed locally?
Yes, if the other end is not misconfigured and you pass the
received certificate bundle to the appropriate validation
related function as a list of untrusted additional certificates,
which the certificate verification code can search for needed
intermediate certificates.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170421/a9c03e52/attachment.html>

More information about the openssl-users mailing list