Hello Hugo: On July 16, 2010 02:31:53 pm Hugo Garza wrote: > Hello Stephen, thank you for your comment that made the verification pass. > But I'm a bit confused now. > > Just as a demo I moved these certs to my windows computer and installed the > Root CA into my current user's Trusted Root Certificate Authorities folder > using the MMC certificates snap in. Then I double click the inter CA > certificate and Windows says it's OK. But when I double click the users > certificate it says that it doesn't have enough information to verify the > certificate. > > This is strange to me, because I can visit lots of websites that I know I > don't have the intermediate CA installed it all works. For instance I can > visit gmail and it says the root is Class 3 Public Primary Certification > Authority by Verisign, and I can see that it's installed in my > windows Trusted Root Certificate Authorities. The next certificate is > Thawte SGC CA which is no where in my Trusted Root Certificate Authorities > and finally is mail.google.com and windows says it's valid. > > Am I missing some extension when I create the end user certificate or what > part of this puzzle is escaping my grasp. > Yes, you probably are missing the "AuthorityInformationAccess" extension in the client certificate. This is an X.509 extension that contains, in the "caIssuers" field, a URI that points to a location that an application that is performing path construction may use to download the certificate for that certificate's issuer. Inside of THAT certificate, there should be another "AuthorityInformationAccess" extension which points to THAT Certificates issuer all the way up the line to a self signed certificate that SHOULD NOT have an AIA field.
For a full description, including the formatting of the certificate to be downloaded, please see RFC5280. As an aside, even with an AIA extension, the OpenSSL library (and by extension, the command line tool) will NOT fetch intermediate certificates for you (which is why you needed to put both certs in the cafile.pem) - this is because it doesn't have any code to be an HTTP or LDAP client (probably a good thing:). If you want to do path construction, you have to write an application that uses OpenSSL for the crypto, but your application has to handle all of the network access. Have fun! -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
