Hi Serge, My intention is to keep my root ca out of compromise. We want to use sub ca to splite the domain in the our whole network. Then, we can easy to re-sign a new sub ca and publish it if we find one domain sub ca was compromised. And if we expose the the root ca to public ,it hard to maintain if root ca was cracked.
And as you said, "create a new chain and let sub ca as root", I don't know how to do it. In my testing, I set verify depth to 1. I guess it will make chain only include certificate and sub ca. the testing show that the openssl still try to find the issuer of sub ca, and so the verification was failed. Here is the output: -with certificate at depth: 1 issuer = /C=fi/O=WCDMA/CN=NSN Tre WCDMA Root CA subject = /C=fi/O=WCDMA/CN=NSN Tre WCDMA Sub1 CA err 20:unable to get local issuer certificate -with certificate at depth: 1 issuer = /C=fi/O=WCDMA/CN=NSN Tre WCDMA Root CA subject = /C=fi/O=WCDMA/CN=NSN Tre WCDMA Sub1 CA err 27:certificate not trusted -with certificate at depth: 0 issuer = /C=fi/O=WCDMA/CN=NSN Tre WCDMA Sub1 CA subject = /C=FI/ST=Tampere/L=Tampere/O=NSN/CN=lab. err 27:certificate not trusted And FYI. Here is the complete chain verfication output. -with certificate at depth: 2 issuer = /C=fi/O=WCDMA/CN=NSN Tre WCDMA Root CA subject = /C=fi/O=WCDMA/CN=NSN Tre WCDMA Root CA err 0:ok -with certificate at depth: 1 issuer = /C=fi/O=WCDMA/CN=NSN Tre WCDMA Root CA subject = /C=fi/O=WCDMA/CN=NSN Tre WCDMA Sub1 CA err 0:ok -with certificate at depth: 0 issuer = /C=fi/O=WCDMA/CN=NSN Tre WCDMA Sub1 CA subject = /C=FI/ST=Tampere/L=Tampere/O=NSN/CN=lab. err 0:ok Thanks. Br Ben -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of ext Serge Fonville Sent: Tuesday, September 01, 2009 2:14 PM To: openssl-users@openssl.org Subject: Re: Verify certificate using subordinate ca Hi, Hmm... I've had the same issue. Basically it came down to "how do you know if the sub is reliable if you do not know whether to trust the root?" If you do not wish to have the root as part of the chain, create a new chain where the sub is the root What is the reason you do not want to use the root in the chain check, but it should be part of the chain? HTH Regards, Serge Fonville On Tue, Sep 1, 2009 at 1:04 PM, Yin, Ben 1. (NSN - CN/Cheng Du)<ben.1....@nsn.com> wrote: > Hi, > > It there a way to verify certificate with out root ca? I have 4 certificate: > rootca.pem is the root ca (self signed). subca.pem was signed by rootca.pem. > cert1.pem & cert2.pem was signed by subca.pem. I was supposed to configure > the client and server using subca.pem as ca, and cert1.pem & cert2.pem as > certificate. It seem that openssl still try to find rootca.pem to verfiy > subca.pem when handshake. But I don't what root.pem can bo accessed for > keeping it safe. So It there a way to verify certificate with out root ca, > only using sub ca and certificate signed by sub ca? Thanks. > > Br > > Ben ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org