Hello Chris,
You can not just replace the trust.pem with trust_new.pem as the new
root ca cert (trust_new.pem) did not sign the sub ca cert (a-sign.pem)
and so the chain is broken. They need to give you a new ca cert and
server cert.
Thanks for the answer. I must admit that I'm not very familiar with
certificates, but I thought that signing means that the certificate
authority (trust.pem in this case) encrypts some sort of hash of the
certificate to be signed (a-sign.pem in this case) with it's private key
and in order to validate a-sign.pem one needs the public key of
trust.pem to decrypt the signature to check the hash. OpenSSL should
(probably) find trust_new.pem via the issuer name in a-sign.pem, and
since the public key of trust_new.pem is the same as that of trust.pem
it should make no difference when it comes to decrypting the hash of
a-sign.pem ... but I might be totally wrong of course as well...?
TIA
Manfred
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
