Actually, there's a paper that was pointed out to me not too long ago
(by Philipp Gühring of CAcert.org) -- it /should/ be possible, however
there's a severe lack of support in the current implementations.
http://www.dfn-pca.de/bibliothek/reports/pki-linking/report-linking-final-1.0.2.pdf
(CC:AT-N
Hi,
This question might be slightly silly and out of place but this
conversation brought it up to me. I don't remember seeing the answer...
Is it possible to send several chains, each rooted by a different CA ?
And then let the client determine if he trusts one of those CAs.
Cheers,
- Alai
The only certificates that must be sent are the server identification
and the certs up to (but not including) the trust anchor. (Since the
client already has the trust anchor, it will verify against its local
copy of the root CA, not the copy of the root CA that came from the
connection.)
Sending
On Mon, Feb 27, 2006 at 07:36:16PM +, Brian Candler wrote:
> Ah. I had just used -cert ../server.example.com-cert.pem (where this file
> contains all the certificates). So now I've added -CAfile as well, pointing
> to the same file:
>
> #!/bin/sh
> cd content
> openssl s_server -cert ../server
On Mon, Feb 27, 2006 at 08:05:59PM +0100, Dr. Stephen Henson wrote:
> On Mon, Feb 27, 2006, Brian Candler wrote:
>
> > On Mon, Feb 27, 2006 at 01:41:33PM +0100, Dr. Stephen Henson wrote:
> > > Since you didn't include the root CA it isn't possible to say why it isn't
> > > excluded.
> > >
> > > I
On Mon, Feb 27, 2006, Brian Candler wrote:
> On Mon, Feb 27, 2006 at 01:41:33PM +0100, Dr. Stephen Henson wrote:
> > Since you didn't include the root CA it isn't possible to say why it isn't
> > excluded.
> >
> > I notice the small serial numbers in the certificates and some invalid
> > extensio
On Mon, Feb 27, 2006 at 01:41:33PM +0100, Dr. Stephen Henson wrote:
> Since you didn't include the root CA it isn't possible to say why it isn't
> excluded.
>
> I notice the small serial numbers in the certificates and some invalid
> extensions in there. I'd suggest using the CA.pl script (if you
On Mon, Feb 27, 2006, Brian Candler wrote:
> I'm trying to get a client to verify a server certificate signed by a sub-CA
> when the client has only the root CA certificate.
>
> I'm using TinyCA (GUI wrapper around OpenSSL) as the CA. Here's what I've
> done:
>
> 1. Created a root CA (CN=root.ca
I'm trying to get a client to verify a server certificate signed by a sub-CA
when the client has only the root CA certificate.
I'm using TinyCA (GUI wrapper around OpenSSL) as the CA. Here's what I've
done:
1. Created a root CA (CN=root.ca.linnet.org)
2. Created a sub CA under this (CN=sub.ca.lin
