[openssl-users] cert chain file ordering question
Norm Green
norm.green at gemtalksystems.com
Tue Jan 9 00:33:16 UTC 2018
This question is regarding OpenSSL 1.1.
Let's say I have this trust hierarchy:
RootCA
CA1
CA2
CA3
userCert
So userCert is signed by CA3, CA3 is signed by CA2, and so on up to
RootCA, which is a self-signed root cert.
If I combine CA1,CA2,CA3 and userCert into single PEM file, chain.pem,
the openssl verify command only verifies the chain is correct if the
order of the file is such that the user cert occurs *last* in the chain
as follows:
CA1
CA2
CA3
userCert
openssl verify -CAfile RootCA.pem chain.pem
What strikes me as odd is the order shown above is the *opposite* of
what is needed for the SSL_CTX_user_certificate_chain_file() function,
which requires the highest level CA to appear at the end of the file.
From the man page:
SSL_CTX_use_certificate_chain_file() loads a certificate chain from file
into ctx. The certificates must be in PEM format and must be sorted
starting with the subject's certificate (actual client or server
certificate), followed by intermediate CA certificates if applicable,
and ending at the highest level (root) CA.
SSL_use_certificate_chain_file() is similar except it loads the
certificate chain into ssl.
Is my understanding of things correct? Seems like there should be a way
for the openssl command to verify a chain file which will be used with the
SSL_CTX_use_certificate_chain_file() function.
Norm Green
More information about the openssl-users
mailing list