RE: TLS trust of a chain of certificates up to a root CA.Certificate Sign extenstion not set

Wed, 28 Oct 2009 09:13:59 -0700 

Thanks Steve, 

Yes, the keyUsage is present but the sign bit is not set. As a background on 
this, the user does not want his CA to set the sign bit for non-root 
certificates. 

I am not sure I understand why the client is broken? Did you mean that the sign 
bit can be omitted if the client sends the entire chain of certificates (except 
maybe the root) AND the server has the certificates chain as well? Thanks.

Mourad.

Here is a snippet of the extensions:

            X509v3 Key Usage: critical
            Digital Signature, Key Encipherment
            X509v3 CRL Distribution Points:  

-----Original Message-----
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Dr. Stephen Henson
Sent: Wednesday, October 28, 2009 5:00 AM
To: openssl-users@openssl.org
Subject: Re: TLS trust of a chain of certificates up to a root CA.Certificate 
Sign extenstion not set

On Tue, Oct 27, 2009, Mourad Cherfaoui wrote:

> 
> Hi,   I have a chain of certificates C->B->A->RootCA. The TLS client 
> only presents C during the TLS handshake. RootCA has the Certificate 
> Sign extension set but not B and A.    The TLS server fails the TLS 
> handshake because of the absence of the Certificate Sign extension in 
> B and A.    My first question: if the TLS server has the entire chain 
> of certificates
> B->A->RootCA in its truststore, is it correct to assume that the 
> B->A->Certificate
> Sign extension is not required in B and A? My second question: by 
> default the TLS server will fail the TLS handshake because of the 
> absence of the Certificate Sign extension. Is there a recommended way 
> to disables the check for this extension in the TLS handshake?    Thanks,   
> Mourad.
> 
> 
>      

The client is broken then the standard requires that the entire chain be 
presented with the possible exception of the root.

What do you mean by "Certificate Sign extension"? Do you mean the keyUsage 
extension is present but doesn't set the certificate sign bit? If so the 
certificate is broken.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to