Thanks a lot for the explanation Patrick, that did the trick! On Fri, Jul 16, 2010 at 1:58 PM, Patrick Patterson < ppatter...@carillonis.com> wrote:
> Hello Hugo: > > On July 16, 2010 02:31:53 pm Hugo Garza wrote: > > Hello Stephen, thank you for your comment that made the verification > pass. > > But I'm a bit confused now. > > > > Just as a demo I moved these certs to my windows computer and installed > the > > Root CA into my current user's Trusted Root Certificate Authorities > folder > > using the MMC certificates snap in. Then I double click the inter CA > > certificate and Windows says it's OK. But when I double click the users > > certificate it says that it doesn't have enough information to verify the > > certificate. > > > > This is strange to me, because I can visit lots of websites that I know I > > don't have the intermediate CA installed it all works. For instance I can > > visit gmail and it says the root is Class 3 Public Primary Certification > > Authority by Verisign, and I can see that it's installed in my > > windows Trusted Root Certificate Authorities. The next certificate is > > Thawte SGC CA which is no where in my Trusted Root Certificate > Authorities > > and finally is mail.google.com and windows says it's valid. > > > > Am I missing some extension when I create the end user certificate or > what > > part of this puzzle is escaping my grasp. > > > Yes, you probably are missing the "AuthorityInformationAccess" extension in > the client certificate. This is an X.509 extension that contains, in the > "caIssuers" field, a URI that points to a location that an application that > is > performing path construction may use to download the certificate for that > certificate's issuer. Inside of THAT certificate, there should be another > "AuthorityInformationAccess" extension which points to THAT Certificates > issuer all the way up the line to a self signed certificate that SHOULD NOT > have an AIA field. > > For a full description, including the formatting of the certificate to be > downloaded, please see RFC5280. > > As an aside, even with an AIA extension, the OpenSSL library (and by > extension, the command line tool) will NOT fetch intermediate certificates > for > you (which is why you needed to put both certs in the cafile.pem) - this is > because it doesn't have any code to be an HTTP or LDAP client (probably a > good > thing:). If you want to do path construction, you have to write an > application > that uses OpenSSL for the crypto, but your application has to handle all of > the network access. > > Have fun! > > -- > Patrick Patterson > President and Chief PKI Architect, > Carillon Information Security Inc. > http://www.carillon.ca > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
