Hi Serge,

My intention is to keep my root ca out of compromise. We want to use sub
ca to splite the domain in the our whole network. Then, we can easy to
re-sign a new sub ca and publish it if we find one domain sub ca was
compromised. And if we expose the the root ca to public ,it hard to
maintain if root ca was cracked. 

And as you said, "create a new chain and let sub ca as root", I don't
know how to do it. In my testing, I set verify depth to 1. I guess it
will make chain only include certificate and sub ca. the testing show
that the openssl still try to find the issuer of sub ca, and so the
verification was failed.

Here is the output:

  -with certificate at depth: 1
 issuer = /C=fi/O=WCDMA/CN=NSN Tre WCDMA Root CA
 subject = /C=fi/O=WCDMA/CN=NSN Tre WCDMA Sub1 CA
 err 20:unable to get local issuer certificate
-with certificate at depth: 1
 issuer = /C=fi/O=WCDMA/CN=NSN Tre WCDMA Root CA
 subject = /C=fi/O=WCDMA/CN=NSN Tre WCDMA Sub1 CA
 err 27:certificate not trusted
-with certificate at depth: 0
 issuer = /C=fi/O=WCDMA/CN=NSN Tre WCDMA Sub1 CA
 subject = /C=FI/ST=Tampere/L=Tampere/O=NSN/CN=lab.
 err 27:certificate not trusted

And FYI. Here is the complete chain verfication output.

-with certificate at depth: 2
 issuer = /C=fi/O=WCDMA/CN=NSN Tre WCDMA Root CA
 subject = /C=fi/O=WCDMA/CN=NSN Tre WCDMA Root CA
 err 0:ok
-with certificate at depth: 1
 issuer = /C=fi/O=WCDMA/CN=NSN Tre WCDMA Root CA
 subject = /C=fi/O=WCDMA/CN=NSN Tre WCDMA Sub1 CA
 err 0:ok
-with certificate at depth: 0
 issuer = /C=fi/O=WCDMA/CN=NSN Tre WCDMA Sub1 CA
 subject = /C=FI/ST=Tampere/L=Tampere/O=NSN/CN=lab.
 err 0:ok

Thanks.

Br

Ben

-----Original Message-----
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of ext Serge Fonville
Sent: Tuesday, September 01, 2009 2:14 PM
To: openssl-users@openssl.org
Subject: Re: Verify certificate using subordinate ca

Hi,

Hmm...

I've had the same issue.
Basically it came down to "how do you know if the sub is reliable if
you do not know whether to trust the root?"
If you do not wish to have the root as part of the chain, create a new
chain where the sub is the root
What is the reason you do not want to use the root in the chain check,
but it should be part of the chain?

HTH

Regards,

Serge Fonville

On Tue, Sep 1, 2009 at 1:04 PM, Yin, Ben 1. (NSN - CN/Cheng
Du)<ben.1....@nsn.com> wrote:
> Hi,
>
> It there a way to verify certificate with out root ca? I have 4
certificate:
> rootca.pem is the root ca (self signed). subca.pem was signed by
rootca.pem.
> cert1.pem & cert2.pem was signed by subca.pem. I was supposed to
configure
> the client and server using subca.pem as ca, and cert1.pem & cert2.pem
as
> certificate. It seem that openssl still try to find rootca.pem to
verfiy
> subca.pem when handshake. But I don't what root.pem can bo accessed
for
> keeping it safe. So It there a way to verify certificate with out root
ca,
> only using sub ca and certificate signed by sub ca? Thanks.
>
> Br
>
> Ben
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to