I'm a relative newcomer to OpenSSL so I apologize in advance if this has
been asked before.
I'm trying to get an OpenSSL client to accept only a *specific* server
certificate as opposed to it accepting any certificate that is issued by
a given CA.
I need to skip the hostname check - the client will be going through an
SSL terminator that contains certificates that were issued to other
hostnames on the network (the terminator doesn't have a public IP
address or domain name and can't use wildcard certificates).
For testing purposes, I created my own CA. Then I used the CA.pl script
to create a certificate request, and then signed the certificate
request.
Next, I used openssl to export a PKCS12 keystore that included the
certificate chain - i.e., the issued certificate, the issuer's
certificate (my CA) and the created private key for the issued
certificate.
Using a browser, I can see that I get the entire certificate chain sent
to me from my web server.
Now, on the client I'm trying to make sure that only the certificate
I've created is valid and that any other certificate is not valid. What
I'm seeing is that the client doesn't seem to care about the server
certificate as long as it has the CA certificate in its trusted
certificates file. If the client certificate is in the trusted
certificates file and the CA certificate is not there, server
certificate validation fails. If the CA certificate is there and the
server certificate is NOT there, things work fine, which seems to
indicate that the client just doesn't care about the server certificate
at all other than it is some token that it validates via another trusted
certificate.
Is there any way I can make the client ONLY accept the one and only
server certificate that I specify and deny other certificates issued by
the same certificate authority?
Again, sorry if this is an obvious question ...
