What is 'trusted certificate'

[David von Oheimb]

The below warning message looks a bit like it was produced by OpenSSL,
but pretty sure it actually comes from the freeradius server code, which
appears to use one of the OpenSSL certificate checking callback
mechanisms. So you should ask there what the exact intention for this
warning is and how to prevent it.

To me the below warnings looks strange because usually at depth 0 and 1
of a cert chain (i.e., at the positions of the end entity cert and any
subsequent intermediate cert) it is normal to have untrusted certs.
Usually only at the end of the chain you have a trusted cert that
represents the trust anchor for the chain.

Some information on the OpenSSL view on trusted/untrusted certs can be
fount
at https://beta.openssl.org/docs/manmaster/man1/openssl-verification-options.html

 David

On Fri, 2022-07-15 at 22:38 +0200, Kamil Jońca wrote:
> 
> I have freeradius server configured to use EAP-TLS
> (certificate baset authn)
> Since some time I have warning in logs:
> 
> --8<---------------cut here---------------start------------->8---
> Fri Jul 15 22:29:04 2022 : Warning: (TLS) untrusted certificate with
> depth [1] subject name
> /C=PL/ST=Mazowieckie/L=Warszawa/O=beta/OU=wifi/CN=beta-wifi-ca
> Fri Jul 15 22:29:04 2022 : Warning: (TLS) untrusted certificate with
> depth [0] subject name
> /C=PL/ST=Mazowieckie/O=beta/OU=wifi/CN=salamandra
> --8<---------------cut here---------------end--------------->8---
> 
> I took a look into code and it seems to be related to
> "X509_STORE_CTX_get0_untrusted(ctx)" function.
> I tried to search, but without success.
> Can anyone tell me when certificate is "trusted" in this context?
> (How to get rid this warning) or point to documentation/search keys
> 
> KJ
> 
> --
> http://wolnelektury.pl/wesprzyj/teraz/
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220716/04f132ce/attachment.htm>