Certificate verification with cross signed CAs
James Chapman
openssl-users at natsuki.co.uk
Mon Jul 1 14:54:46 UTC 2024
I’ve been using openssl verify to check some certificate chains:
server -> ca -> roota
server -> alt_ca-> rootb
Certificates ca and alt_ca have the same subject and public key and different issuers.
openssl verify -trusted roota.pem -untrusted ca.pem server.pem
openssl verify -trusted rootb.pem -untrusted alt_ca.pem server.pem
Work fine, however if I include both the intermediate CAs then verify only succeeds when the correct untrusted CA is first in the list
openssl verify -trusted roota.pem -untrusted ca.pem -untrusted alt_ca.pem server.pem (OK)
openssl verify -trusted rootb.pem -untrusted ca.pem -untrusted alt_ca.pem server.pem (FAIL: error 20 at 1 depth lookup: unable to get local issuer certificate)
Is there a mechanism to support both ca.pem and alt_ca.pem without knowing which root the client has?
Many thanks
James
More information about the openssl-users
mailing list