On Fri, Jul 16, 2010, Hugo Garza wrote: > Hello Stephen, thank you for your comment that made the verification pass. > But I'm a bit confused now. > > Just as a demo I moved these certs to my windows computer and installed the > Root CA into my current user's Trusted Root Certificate Authorities folder > using the MMC certificates snap in. Then I double click the inter CA > certificate and Windows says it's OK. But when I double click the users > certificate it says that it doesn't have enough information to verify the > certificate. > > This is strange to me, because I can visit lots of websites that I know I > don't have the intermediate CA installed it all works. For instance I can > visit gmail and it says the root is Class 3 Public Primary Certification > Authority by Verisign, and I can see that it's installed in my > windows Trusted Root Certificate Authorities. The next certificate is Thawte > SGC CA which is no where in my Trusted Root Certificate Authorities and > finally is mail.google.com and windows says it's valid. > > Am I missing some extension when I create the end user certificate or what > part of this puzzle is escaping my grasp. >
What you are missing is that when you visit a website it doesn't just send the user certificate back it also sends intermediate CAs too, the root being optional. What that means is that as long as you have the correct root trusted the certificates presented are sufficient to verify the end entity certificate. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
