<SNIP>
So Microsoft, trying to be "clever" again, seems to have fooled
me into thinking the chain could be in the file, whereas
now I know it isn't in my example file and I suspect it can
never be. If anyone can confirm this, I'd be interested.
</SNIP>
Sebastian,
This is indeed the case. The "certificate chain" starts with the root CA
(normally a company like Thawte or Verisign), who browsers (for example)
are programmed to trust. The basic structure works like this - they sign
and issue a certificate to someone (me for example) and I load it into my
web server. You hit my web site at https://www.somewhere.com. You get my
certificate which has been signed by Thawte. Since your browser
"recognizes" the Thawte signature, it accepts my statements about my
idenity.
Where chains come into to play is when the CA issues a cert to a company for
the purposes of generating additional certs. If you look at certs from some
CA's, they will often tie back to one of the early CA's like Verisign.
Also, if any link in the chain is not present, than the certificate is not
"valid". For example, if I don't have Verisign loaded as a trusted CA, my
browser will distrust almost all the SSL certificates on the web.
It is also interesting to note that for practical purposes Certificate
Revocation Lists are invalid. While they do exist and are part of the
standard, very few applications are written to take advantage of them. Once
a certificate is issued, it is "good" until its expiration date, if one was
set.
HTH,
Jimi
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
