Actually, there's a paper that was pointed out to me not too long ago
(by Philipp Gühring of CAcert.org) -- it /should/ be possible, however
there's a severe lack of support in the current implementations.

http://www.dfn-pca.de/bibliothek/reports/pki-linking/report-linking-final-1.0.2.pdf
(CC:AT-NC-SA)

I would like to see support made much more available.

-Kyle H

On 2/28/06, Alain Damiral <[EMAIL PROTECTED]> wrote:
> Hi,
>
> This question might be slightly silly and out of place but this
> conversation brought it up to me. I don't remember seeing the answer...
>
> Is it possible to send several chains, each rooted by a different CA ?
> And then let the client determine if he trusts one of those CAs.
>
> Cheers,
>
> - Alain
>
> Kyle Hamilton wrote:
>
> >The only certificates that must be sent are the server identification
> >and the certs up to (but not including) the trust anchor.  (Since the
> >client already has the trust anchor, it will verify against its local
> >copy of the root CA, not the copy of the root CA that came from the
> >connection.)
> >
> >Sending the extra certificate doesn't hurt, though.
> >
> >-Kyle H
> >
> >On 2/27/06, Brian Candler <[EMAIL PROTECTED]> wrote:
> >
> >
> >>On Mon, Feb 27, 2006 at 07:36:16PM +0000, Brian Candler wrote:
> >>
> >>
> >>>Ah. I had just used -cert ../server.example.com-cert.pem (where this file
> >>>contains all the certificates). So now I've added -CAfile as well, pointing
> >>>to the same file:
> >>>
> >>>#!/bin/sh
> >>>cd content
> >>>openssl s_server -cert ../server.example.com-cert.pem \
> >>>  -CAfile ../server.example.com-cert.pem \
> >>>  -key ../server.example.com-key.pem \
> >>>  -WWW
> >>>
> >>>And it works. I've removed the sub-CA certificate and its symlink from
> >>>/etc/ssl/certs, but the client can still verify the chain:
> >>>
> >>>
> >>As a follow-up for the benefit of the list archive: to get this to work in
> >>Apache+mod_ssl I just had to uncomment
> >>
> >>SSLCertificateChainFile /usr/local/etc/apache/ssl.crt/ca.crt
> >>
> >>from httpd.conf, and point it at a file containing the sub-CA's certificate
> >>(signed by the root CA) and the root CA's own self-signed certificate.
> >>
> >>Regards,
> >>
> >>Brian.
> >>______________________________________________________________________
> >>OpenSSL Project                                 http://www.openssl.org
> >>User Support Mailing List                    openssl-users@openssl.org
> >>Automated List Manager                           [EMAIL PROTECTED]
> >>
> >>
> >>
> >______________________________________________________________________
> >OpenSSL Project                                 http://www.openssl.org
> >User Support Mailing List                    openssl-users@openssl.org
> >Automated List Manager                           [EMAIL PROTECTED]
> >
> >
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@openssl.org
> Automated List Manager                           [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to