On Thu, Mar 13, 2014 at 12:07:09PM +0530, Harshal Talele wrote:
> I have now added server cert, private key and intermediate certificates
> in one file and reading them using SSL_CTX_use_certificate_chain_file()
> API.
>
> But one thing I want to understand. My server certificate is self-signed.
> And intermediate certificates are signed by a root-CA cert.
If it is really self-signed, it has no intermediate issuing CA, so all
those other certificates you mention below are pointless noise.
> root-CA cert -self-signed.
> int1 - root-CA signed
> int2 - int1 signed
Correct, provided the server certificate is signed by "int2". Otherwise,
there's no point. The order of the certificates in the chain file should
be:
server
int2
int1
(and last *optionally* the root-CA, which may some day be needed
for DANE if you publish the root as a DANE-TA(2) trust anchor).
> Is this the right way of doing this?
Perhaps, see above.
> I don't understand how we connect the chain upto server certificate in such
> case.
It the certificate is self signed, there is no chain to connect it to.
> Can you please help me understand this problem?
You are asking the wrong question. What is your real problem? That
is, what are you trying to achieve, rather than what's going wrong
with how you think it should be done.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
