Hi, thank you all for the clarification. As most users do not have OpenSSL 1.0.2, this doesn't seem to solve my problem.
What I want to achieve is having a new rootCA, which replaces an oldRootCA, which I am using until now. So far the trust chain is: oldRoot -> oldServerCert. What I thought should be possible is building this trust chain: oldRoot -> newRoot -> newSubCA -> newServerCert As Users are trusting oldRoot, changing the oldServerCert to newServerCert is no problem. After some time, users would move trust to newRoot and I can "disable" oldRoot. This doesn't seem possible, if I understand your answers correct. Is there another/better/default way of smoothly changing a trust anchor? I.e. by cross-signing the newRoot by itself and the oldRoot? Thanks, Sven. -- PGP Key: https://0x80.io/pub/files/key.asc PGP Key Fingerprint: 2DF2 79CD 48DD 4D38 F0B6 7557 2E68 D557 49AA 1D99 Note: I'll be transitioning away from this key in the near future. On 05/27/2014 05:16 PM, Dr. Stephen Henson wrote: > On Tue, May 27, 2014, Viktor Dukhovni wrote: > >> On Tue, May 27, 2014 at 03:44:46PM +0200, Sven Reissmann wrote: >> >>> But, should't it also be possible to only verify the trust chain up to >>> the subCA (i.e., if I fully trust this CA)? I would have expected that >>> this will verify sucessfully: >> >> OpenSSL versions prior to 1.0.2 require that all trusted certificates >> be self-signed. In 1.0.2 it is possible to use X509_verify_cert() >> with a trust anchor that is not self-signed, but I don't recall >> whether this is possible through the CLI. >> > > It is with the -parial_chain option. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
signature.asc
Description: OpenPGP digital signature
