Matthias,
Generally, when you are 'accepting a cert' in the web browser, you are accepting that _server's_ cert, and not automatically saving the CA cert. For a Certificate Authority of your own to be accepted, you'd have to manually install that CA's cert into the root store for that browser. This, then, would allow SSL to verify the Server's cert against this newly-installed CA cert. Thus, your chain is tested. Lou Picciano ----- Original Message ----- From: "Matthias Meixner" <mmeix...@hypercom.com> To: openssl-users@openssl.org Sent: Thursday, February 10, 2011 10:19:03 AM Subject: Adding non-root certificates to the list of trusted certificates? Hello! When you connect to a webserver for which you do not have a trusted CA certificate, normally the browser allows you to permanently accept the certificate and continue. How can this be done using OpenSSL? If I add this non-self-signed certificate to the list of trusted certificates (e.g. via CAfile), it is ignored and verification fails. I have never had any success if the certificate chain was incomplete. Example: I have the following certificates: root-ca.cert -> ca.cert -> server.cert The server uses server.cert as certificate. If CAfile contains root-ca.cert, everything works fine. However, if CAfile only contains server.cert verification fails. But this is exactly what most browsers allow: Just accept any certificate as long as the user has allowed to accept it. So how can this be done using OpenSSL? Is there any option I can set? Or is there only the brute force way of using the verify callback, reading all the certificates from CAfile and comparing them manually with the server certificate? Regards, Matthias Meixner ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
