On 2010-07-16, at 5:37 PM, Rene Hollan wrote: > What? No plug for pathfinder? > > Heh - Given that he asked why Windows wasn't pulling it, there was no need...it's a straight AIA question. however, if he was asking how to get Apache to recognize it (or any of the other various applications that have patches available) then I would have (one would still require the AIA field, though) :)
Have fun. Patrick. > -----Original Message----- > From: owner-openssl-us...@openssl.org on behalf of Patrick Patterson > Sent: Fri 7/16/2010 11:58 AM > To: openssl-users@openssl.org > Subject: Re: Help creating certificate chain > > Hello Hugo: > > On July 16, 2010 02:31:53 pm Hugo Garza wrote: >> Hello Stephen, thank you for your comment that made the verification pass. >> But I'm a bit confused now. >> >> Just as a demo I moved these certs to my windows computer and installed the >> Root CA into my current user's Trusted Root Certificate Authorities folder >> using the MMC certificates snap in. Then I double click the inter CA >> certificate and Windows says it's OK. But when I double click the users >> certificate it says that it doesn't have enough information to verify the >> certificate. >> >> This is strange to me, because I can visit lots of websites that I know I >> don't have the intermediate CA installed it all works. For instance I can >> visit gmail and it says the root is Class 3 Public Primary Certification >> Authority by Verisign, and I can see that it's installed in my >> windows Trusted Root Certificate Authorities. The next certificate is >> Thawte SGC CA which is no where in my Trusted Root Certificate Authorities >> and finally is mail.google.com and windows says it's valid. >> >> Am I missing some extension when I create the end user certificate or what >> part of this puzzle is escaping my grasp. >> > Yes, you probably are missing the "AuthorityInformationAccess" extension in > the client certificate. This is an X.509 extension that contains, in the > "caIssuers" field, a URI that points to a location that an application that > is > performing path construction may use to download the certificate for that > certificate's issuer. Inside of THAT certificate, there should be another > "AuthorityInformationAccess" extension which points to THAT Certificates > issuer all the way up the line to a self signed certificate that SHOULD NOT > have an AIA field. > > For a full description, including the formatting of the certificate to be > downloaded, please see RFC5280. > > As an aside, even with an AIA extension, the OpenSSL library (and by > extension, the command line tool) will NOT fetch intermediate certificates > for > you (which is why you needed to put both certs in the cafile.pem) - this is > because it doesn't have any code to be an HTTP or LDAP client (probably a > good > thing:). If you want to do path construction, you have to write an > application > that uses OpenSSL for the crypto, but your application has to handle all of > the network access. > > Have fun! > > -- > Patrick Patterson > President and Chief PKI Architect, > Carillon Information Security Inc. > http://www.carillon.ca > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > <winmail.dat> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
