Re: Installing a certificate chain

Tue, 28 Feb 2006 01:40:48 -0800 

Hi,
This question might be slightly silly and out of place but this conversation brought it up to me. I don't remember seeing the answer... 


Is it possible to send several chains, each rooted by a different CA ? 
And then let the client determine if he trusts one of those CAs.


Cheers,

- Alain

Kyle Hamilton wrote:


The only certificates that must be sent are the server identification
and the certs up to (but not including) the trust anchor.  (Since the
client already has the trust anchor, it will verify against its local
copy of the root CA, not the copy of the root CA that came from the
connection.)

Sending the extra certificate doesn't hurt, though.

-Kyle H

On 2/27/06, Brian Candler <[EMAIL PROTECTED]> wrote:

 


On Mon, Feb 27, 2006 at 07:36:16PM +0000, Brian Candler wrote:

   


Ah. I had just used -cert ../server.example.com-cert.pem (where this file
contains all the certificates). So now I've added -CAfile as well, pointing
to the same file:

#!/bin/sh
cd content
openssl s_server -cert ../server.example.com-cert.pem \
 -CAfile ../server.example.com-cert.pem \
 -key ../server.example.com-key.pem \
 -WWW

And it works. I've removed the sub-CA certificate and its symlink from
/etc/ssl/certs, but the client can still verify the chain:

     


As a follow-up for the benefit of the list archive: to get this to work in
Apache+mod_ssl I just had to uncomment

SSLCertificateChainFile /usr/local/etc/apache/ssl.crt/ca.crt

from httpd.conf, and point it at a file containing the sub-CA's certificate
(signed by the root CA) and the root CA's own self-signed certificate.

Regards,

Brian.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]


   


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

 




______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]






















					Reply via email to