Hal Murray via devel writes: > I thought most systems came with a collection of trusted/root certificates. > What do I have to go outside-the-network to get?
You'll have to check the cert chain until you hit one of those trust anchors that can't be otherwise checked since they're the start of the chain. Also, you'll usually check for revoked certificates (OCSP). > I'm not a certificate wizard. I'm debugging with self signed certificates. > I'm using root, intermediate, and server certificates. As far as I can tell, > there is no good reason for the intermediate certificate if you are small or > just testing. It was in the cookbook I was following and I got past here > before I figured out that I didn't need it. Yes, in a local network you will usually not need intermediates… but it's nice to have them anyway, since it lets you more easily delegate or automate cert creation without creating too much of a problem if you need to revoke some CA keys. If you need to revoke a root CA key, then you're royally hosed unless you really are just plaing with certs for a bit. > I tell the NTS-KE server to use a certificate file that contains both the > server certificate and the intermediate certificate. I assume the server > sends both to the NTS-KE client. I told the NTS-KE client to use/trust the > root certificate. It works. As it should. :-) Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Factory and User Sound Singles for Waldorf Blofeld: http://Synth.Stromeko.net/Downloads.html#WaldorfSounds _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
