I think I have found an answer to my question #2 below. From what I can see, when I generate a certificate chain, the sub CA certificate does not specify key usage (assume this is due to my openssl.cnf configuration). When I sign my endpoint cert with the sub CA cert, the openssl verification is successful. When I try to verify with a sub CA that has only Key Usage=Digital Certificate, then I get the following errors:
openssl verify -verbose -issuer_checks -CAfile master.pem local.pem local.pem: /O=state/CN=10.32.128.3 error 29 at 0 depth lookup:subject issuer mismatch /O=state/CN=10.32.128.3 error 29 at 0 depth lookup:subject issuer mismatch /O=state/CN=10.32.128.3 error 29 at 0 depth lookup:subject issuer mismatch /O=state/CN=10.32.128.3 error 32 at 0 depth lookup:key usage does not include certificate signing /O=state/CN=10.32.128.3 error 32 at 0 depth lookup:key usage does not include certificate signing /O=state/CN=10.32.128.3 error 29 at 0 depth lookup:subject issuer mismatch /O=state/CN=10.32.128.3 error 20 at 0 depth lookup:unable to get local issuer certificate Master.pem includes the root and sub CA certs. So can I assume that if basic contraints=CA:TRUE and there is no key usage specified, this CA can perform all operations (sign, crl, etc.)? And when key usage is specified, it can only perform those operations and that is why the verification shown above failed? Thanks. Leo P.S. - Any comments on my other questions? :) -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Koutikas, Elias Sent: Friday, July 10, 2009 2:45 PM To: openssl-users@openssl.org Subject: questions regarding certificate chains Hello everyone! I have a couple of questions regarding certificate chains that I hope can be answered. The certificate chain goes something like this: root CA -> subordinate CA -> endpoint. 1) Must each endpoint have access to the root CA certificate in order to establish client TLS connections? I would think yes. How else can the client validate the certificate chain presented to it by the server (ie. sub CA cert and signed endpoint cert)? Must all cert chains end in a self-signed root cert? 2) If the subordinate CA is configured to sign certificates and CRLs, shouldn't the X509v3 Key Usage field of the sub CA cert contain certificate sign and CRL sign? Currently the sub CA I am using only has digital signature set, but it has signed a certificate signing request from my endpoint and I was able to obtain a signed CRL as well (Issuer of CRL is subject of sub CA cert). 3) When openssl verifies a certificate against a CRL (X509_V_FLAG_CRL_CHECK and X509_V_FLAG_CRL_CHECK_ALL flags set in X509_STORE), will it try to find the CA who signed this CRL in the store and verify the key usage for that cert is set to CRL sign? I am currently getting an "unable to get CRL issuer certificate" error and I am trying to determine if it is because I do not have a root CA cert in the store or because the key usage field of the sub CA cert is incorrect. 4) How do I add multiple chained CA certs to the store? Is X509_STORE_add_cert() sufficient? Will all certificates be presented when an incoming TLS connection is established, or only all certs up to and not including the root CA certificate? Any help with these questions would be greatly appreciated. Thanks. Leo Koutikas SMTS Software Engineer IPC Systems, Inc. DISCLAIMER: This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Unintended recipients are prohibited from taking action on the basis of information in this e-mail.E-mail messages may contain computer viruses or other defects, may not be accurately replicated on other systems, or may be intercepted, deleted or interfered with without the knowledge of the sender or the intended recipient. If you are not comfortable with the risks associated with e-mail messages, you may decide not to use e-mail to communicate with IPC. IPC reserves the right, to the extent and under circumstances permitted by applicable law, to retain, monitor and intercept e-mail messages to and from its systems. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
