[openssl-users] cert chain file ordering question

Viktor Dukhovni openssl-users at dukhovni.org
Tue Jan 9 23:36:26 UTC 2018



> On Jan 9, 2018, at 5:55 PM, Norm Green <norm.green at gemtalksystems.com> wrote:
> 
> Same result. The only way it seems to work is if the leaf cert appears at the end of the file.

You're badly mistaken.  *ONLY* the first certificate in the file is verified.
When you put the leaf cert at the end, you're *ONLY* verifying the top-most
issuer CA certificate.

The correct way to verify a chain is to put the root CA in a CAfile,
intermediate CAs in an "untrusted" chain file, and the leaf cert all
by itself in a separate file.  As explained upstream.  If that's not
working, then perhaps your chain is actually incomplete or otherwise
does not satisfy all the requirements.

-- 
	Viktor.



More information about the openssl-users mailing list