If your client application supports that, it could be done. but no
standard compliant application allows that to my knowledge.

On Wed, Sep 2, 2009 at 10:35 AM, Yin, Ben 1. (NSN - CN/Cheng
Du)<ben.1....@nsn.com> wrote:
> Hi Serge,
>
> Maybe we can put the root ca into the verification chain if I can prove the 
> verfiy certificate using only sub ca is impossible. But before that, do you 
> know if it's possible to verfiy certificate without root ca? Thanks.
>
>
> Br
>
> Ben
>
> -----Original Message-----
> From: owner-openssl-us...@openssl.org 
> [mailto:owner-openssl-us...@openssl.org] On Behalf Of ext Serge Fonville
> Sent: Wednesday, September 02, 2009 11:28 AM
> To: openssl-users@openssl.org
> Subject: Re: Verify certificate using subordinate ca
>
> How do you think compromising a CA would occur, because a CA could
> only becom compromised when someone leaks the key for that specific CA
> And if it happens once, it will likely happen twice. And I hope in
> your best interest, you are not distributing keys to terminals.
>
> Also, if you need to copy a file to 1000^2 terminals, use a script.
> I assume you have a list of all these terminals (otherwise you have a
> serious problem)
>
> I assume you are using server certificates and client certificates.
> with these there corresponds a CRL, this crl can be automatically used
> by any clientapplication that uses a certificate issued by any CA
>
> Bacically, are you distributing keys to terminals?
>
> Regards,
>
> Serge Fonville
>
> On Wed, Sep 2, 2009 at 8:21 AM, Yin, Ben 1. (NSN - CN/Cheng
> Du)<ben.1....@nsn.com> wrote:
>> OK, regarding the CA deploy, such as, we have a one root ca and 1000 sub ca 
>> signed by root ca. and each sub ca used as ca by 1000 terminals.so the total 
>> network size is 1000*1000. All our ca, including root ca and sub ca, was 
>> stored offline. I need copy sub ca to terminal it was used. So if one of sub 
>> ca was compromised, what I need to do is sign a new sub ca using root ca and 
>> copy it to 1000 terminal where sub ca has been compromised. And if root ca 
>> was compromised, I need to re-deploy CA on 1000*1000 terminal mannuly. That 
>> is why I want to keep root ca out of the chain. And only using sub ca and 
>> certificate to do the verification.  Dose it possible? It seems that openssl 
>> always try to find the issuer of sub ca during tht chain verification 
>> because it wasn't self signed root ca.
>>
>>
>> Br
>>
>> Ben
>>
>> -----Original Message-----
>> From: owner-openssl-us...@openssl.org 
>> [mailto:owner-openssl-us...@openssl.org] On Behalf Of ext Serge Fonville
>> Sent: Tuesday, September 01, 2009 5:14 PM
>> To: openssl-users@openssl.org
>> Subject: Re: Verify certificate using subordinate ca
>>
>> I don't see your problem honestly. Figuring out a private key is close
>> to impossible.
>> And stealing it, well, that is more related to security itself than to
>> the actual key being secure or not.
>>
>> >From what I understand, a chain works somewhat like this
>>
>> you
>> --peter
>> ----john
>> ------carl
>>
>> You talk to peter, peter is trusted by john, john is trusted by carl,
>> you trust carl
>> Say if you were to obsolete carl in this chain (by trusting john) john
>> would then become the root
>> If this is the case, why would you want to have carl at all?
>>
>> Thawte, verisign etc work the same way
>>
>> Also, why is distributing a CA cert so difficult?
>> What is your environment?
>> What applications are using the certs?
>> And how do they verify the chain?
>>
>> Again, without the key for each CA it can't be compromised
>> Has this actually happened or is this someone eing paranoid?
>>
>> Who has created the chain?
>>
>> I'm still not clear of the purpose of the root ca if it should not
>> need to be trusted
>>
>> Regards,
>>
>> Serge Fonville
>>
>> On Tue, Sep 1, 2009 at 3:52 PM, Yin, Ben 1. (NSN - CN/Cheng
>> Du)<ben.1....@nsn.com> wrote:
>>> No. In our enviroment. The root CA private key is isolated and absolutly 
>>> safe. Regarding the compromised, I means CA can't be trusted any more, Such 
>>> as the private key was stolen some how or someone find a way to figure out 
>>> private key for one CA. it easy to set up new sub ca in one domain if those 
>>> compromise happened on sub ca. but if it happened on root ca, it's quite 
>>> hard to fix the our whole network. Thanks.
>>>
>>>
>>> Br
>>>
>>> Ben
>>>
>>> -----Original Message-----
>>> From: owner-openssl-us...@openssl.org 
>>> [mailto:owner-openssl-us...@openssl.org] On Behalf Of ext Serge Fonville
>>> Sent: Tuesday, September 01, 2009 4:31 PM
>>> To: openssl-users@openssl.org
>>> Subject: Re: Verify certificate using subordinate ca
>>>
>>> Based on what you state.
>>> There is no purpose for the root CA.
>>>
>>> What do you mean by compromised.
>>> If you publish a CA certificate to clients, it does not include the
>>> key. (normally)
>>> So the only thing a client can do is use it in the session at best.
>>> There is NO way a client can use a CA certificate to sign anything
>>> without the corresponding key.
>>>
>>> I have a chain on my website, and noone (except me, because I can
>>> access the server) is able to sign anything. Since the CAs are only
>>> used for signing and verifying and not for encrypting, if the CA keys
>>> are stored safely, there is no 'compromise'
>>>
>>> Are you distributing the keys as well?
>>>
>>> HTH
>>>
>>> Regards,
>>>
>>> Serge Fonville
>>>
>>>
>>> On Tue, Sep 1, 2009 at 2:13 PM, Yin, Ben 1. (NSN - CN/Cheng
>>> Du)<ben.1....@nsn.com> wrote:
>>>> I only want to verfiy the signature (I mean the procedure when sub ca
>>>> sign the certiticate). So I guess sub ca and certification should has
>>>> enough info to do it because we needn't root ca when we use sub ca to
>>>> sign the certificate.  Is there a way for this requirement? Thanks.
>>>>
>>>>
>>>> Br
>>>>
>>>> Ben
>>>>
>>>> -----Original Message-----
>>>> From: owner-openssl-us...@openssl.org
>>>> [mailto:owner-openssl-us...@openssl.org] On Behalf Of ext Yin, Ben 1.
>>>> (NSN - CN/Cheng Du)
>>>> Sent: Tuesday, September 01, 2009 3:06 PM
>>>> To: openssl-users@openssl.org
>>>> Subject: RE: Verify certificate using subordinate ca
>>>>
>>>> Hi Serge,
>>>>
>>>> My intention is to keep my root ca out of compromise. We want to use sub
>>>> ca to splite the domain in the our whole network. Then, we can easy to
>>>> re-sign a new sub ca and publish it if we find one domain sub ca was
>>>> compromised. And if we expose the the root ca to public ,it hard to
>>>> maintain if root ca was cracked.
>>>>
>>>> And as you said, "create a new chain and let sub ca as root", I don't
>>>> know how to do it. In my testing, I set verify depth to 1. I guess it
>>>> will make chain only include certificate and sub ca. the testing show
>>>> that the openssl still try to find the issuer of sub ca, and so the
>>>> verification was failed.
>>>>
>>>> Here is the output:
>>>>
>>>>  -with certificate at depth: 1
>>>>  issuer = /C=fi/O=WCDMA/CN=NSN Tre WCDMA Root CA
>>>>  subject = /C=fi/O=WCDMA/CN=NSN Tre WCDMA Sub1 CA
>>>>  err 20:unable to get local issuer certificate
>>>> -with certificate at depth: 1
>>>>  issuer = /C=fi/O=WCDMA/CN=NSN Tre WCDMA Root CA
>>>>  subject = /C=fi/O=WCDMA/CN=NSN Tre WCDMA Sub1 CA
>>>>  err 27:certificate not trusted
>>>> -with certificate at depth: 0
>>>>  issuer = /C=fi/O=WCDMA/CN=NSN Tre WCDMA Sub1 CA
>>>>  subject = /C=FI/ST=Tampere/L=Tampere/O=NSN/CN=lab.
>>>>  err 27:certificate not trusted
>>>>
>>>> And FYI. Here is the complete chain verfication output.
>>>>
>>>> -with certificate at depth: 2
>>>>  issuer = /C=fi/O=WCDMA/CN=NSN Tre WCDMA Root CA
>>>>  subject = /C=fi/O=WCDMA/CN=NSN Tre WCDMA Root CA
>>>>  err 0:ok
>>>> -with certificate at depth: 1
>>>>  issuer = /C=fi/O=WCDMA/CN=NSN Tre WCDMA Root CA
>>>>  subject = /C=fi/O=WCDMA/CN=NSN Tre WCDMA Sub1 CA
>>>>  err 0:ok
>>>> -with certificate at depth: 0
>>>>  issuer = /C=fi/O=WCDMA/CN=NSN Tre WCDMA Sub1 CA
>>>>  subject = /C=FI/ST=Tampere/L=Tampere/O=NSN/CN=lab.
>>>>  err 0:ok
>>>>
>>>> Thanks.
>>>>
>>>> Br
>>>>
>>>> Ben
>>>>
>>>> -----Original Message-----
>>>> From: owner-openssl-us...@openssl.org
>>>> [mailto:owner-openssl-us...@openssl.org] On Behalf Of ext Serge Fonville
>>>> Sent: Tuesday, September 01, 2009 2:14 PM
>>>> To: openssl-users@openssl.org
>>>> Subject: Re: Verify certificate using subordinate ca
>>>>
>>>> Hi,
>>>>
>>>> Hmm...
>>>>
>>>> I've had the same issue.
>>>> Basically it came down to "how do you know if the sub is reliable if
>>>> you do not know whether to trust the root?"
>>>> If you do not wish to have the root as part of the chain, create a new
>>>> chain where the sub is the root
>>>> What is the reason you do not want to use the root in the chain check,
>>>> but it should be part of the chain?
>>>>
>>>> HTH
>>>>
>>>> Regards,
>>>>
>>>> Serge Fonville
>>>>
>>>> On Tue, Sep 1, 2009 at 1:04 PM, Yin, Ben 1. (NSN - CN/Cheng
>>>> Du)<ben.1....@nsn.com> wrote:
>>>>> Hi,
>>>>>
>>>>> It there a way to verify certificate with out root ca? I have 4
>>>> certificate:
>>>>> rootca.pem is the root ca (self signed). subca.pem was signed by
>>>> rootca.pem.
>>>>> cert1.pem & cert2.pem was signed by subca.pem. I was supposed to
>>>> configure
>>>>> the client and server using subca.pem as ca, and cert1.pem & cert2.pem
>>>> as
>>>>> certificate. It seem that openssl still try to find rootca.pem to
>>>> verfiy
>>>>> subca.pem when handshake. But I don't what root.pem can bo accessed
>>>> for
>>>>> keeping it safe. So It there a way to verify certificate with out root
>>>> ca,
>>>>> only using sub ca and certificate signed by sub ca? Thanks.
>>>>>
>>>>> Br
>>>>>
>>>>> Ben
>>>> ______________________________________________________________________
>>>> OpenSSL Project                                 http://www.openssl.org
>>>> User Support Mailing List                    openssl-us...@openssl.org
>>>> Automated List Manager                           majord...@openssl.org
>>>> ______________________________________________________________________
>>>> OpenSSL Project                                 http://www.openssl.org
>>>> User Support Mailing List                    openssl-us...@openssl.org
>>>> Automated List Manager                           majord...@openssl.org
>>>> ______________________________________________________________________
>>>> OpenSSL Project                                 http://www.openssl.org
>>>> User Support Mailing List                    openssl-us...@openssl.org
>>>> Automated List Manager                           majord...@openssl.org
>>>>
>>> ______________________________________________________________________
>>> OpenSSL Project                                 http://www.openssl.org
>>> User Support Mailing List                    openssl-us...@openssl.org
>>> Automated List Manager                           majord...@openssl.org
>>> ______________________________________________________________________
>>> OpenSSL Project                                 http://www.openssl.org
>>> User Support Mailing List                    openssl-us...@openssl.org
>>> Automated List Manager                           majord...@openssl.org
>>>
>> ______________________________________________________________________
>> OpenSSL Project                                 http://www.openssl.org
>> User Support Mailing List                    openssl-us...@openssl.org
>> Automated List Manager                           majord...@openssl.org
>> ______________________________________________________________________
>> OpenSSL Project                                 http://www.openssl.org
>> User Support Mailing List                    openssl-us...@openssl.org
>> Automated List Manager                           majord...@openssl.org
>>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-us...@openssl.org
> Automated List Manager                           majord...@openssl.org
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-us...@openssl.org
> Automated List Manager                           majord...@openssl.org
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to