Working with our network team, we finally found out the reason for the strange behavior of the "VeriSign Class 3 Public Primary Certification Authority - G5" cert, actually there are 2 G5 cert from Verisign, one is self signed, one is signed by "Class 3 Public Primary Certification Authority", so basically there are 2 verification chain for our server 1. our server --> VeriSign Class 3 Secure Server CA - G3 --> VeriSign Class 3 Public Primary Certification Authority - G5 --> Class 3 Public Primary Certification Authority 2. our server --> VeriSign Class 3 Secure Server CA - G3 --> VeriSign Class 3 Public Primary Certification Authority - G5
The intermediate certs deployed on our server are the following 2 certs stacked together: VeriSign Class 3 Secure Server CA - G3 VeriSign Class 3 Public Primary Certification Authority - G5 so even we have the self signed "VeriSign Class 3 Public Primary Certification Authority - G5" at the trusted CA file, it won't be used. However at firefox, it won't use the intermediate G5 from server. That's the reason why we saw this different verification chain at firefox and our application. Dr. Stephen Henson wrote: > > At present which certificate is used is a matter of luck: so you shouldn't > include expired certificates in the trusted store. > > In future the algorithm used will be enhanced so it can handle this > situation > properly and ignore expired certificates is an unexpired one exists. > Thanks for this information. This does clarify quite a bit on this. We will remove the expired trusted CA from our CA file. This does solve the current verification problem with "VeriSign Class 3 Public Primary Certification Authority - G5" not matter if G5 is self signed or intermediate cert. However there is still one thing which is puzzling us. The old cert verification chain at our server is: our server --> VeriSign Class 3 Secure Server CA --> Class 3 Public Primary Certification Authority Note that its root CA "Class 3 Public Primary Certification Authority" is same as the root CA of the "VeriSign Class 3 Public Primary Certification Authority - G5", so both expired cert and unexpired cert for that root CA is presented at our trust CA filesin last couple years, however we never run into cert expired problem. So not sure if this luck is related with depth of the verification (depth: 2 vs 3). -- View this message in context: http://old.nabble.com/strange-behavior-of-self-signed-cert-%E2%80%9CVeriSign-Class-3-Public-Primary-Certification-Authority---G5%E2%80%9D.-tp30506166p30542256.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
