Sorry for the late answer. OpenSSL can create the certificates for you, how to do that is documented in the Internet with examples. It is a matter of creating the root CA certificate according to what in most online tutorials, then use it to sign two sub-CA certificates (material is less abundant about this, but try searching for "openssl create sub-CA certificate"). Using the sub-CA keys you finally sign your server certificates.
Client side, you can perform the server verification provided that the server sends at least its certificate and CA_1 (or CA_2) when starting the communication. This is for instance what is done with Apache if you configure it for sending not just the server certificate but also the chain. If you send the chain excluding the root CA and the client already knows the root CA you have all the pieces. As for the code, check for "man verify": the verify command performs certificate verification. Check the command source code (apps/verify.c) On 10/17/2012 08:19 AM, Chunxi Chen wrote: > Dear Sir/Madam, > > I want to consult with you regarding whether the openssl can do this: > > 1) crate a root CA: root_CA; > 2) create a CA based on root_CA: CA_1; > 3) create a CA based on root_CA: CA_2; > 4) Then server_1 uses CA_1, server_2 uses CA_2. The clients only need > to maintain root_CA, which is able to verify CA_1 and CA_2. > > Openssl can create these CAs? Wher e to find the guide to to that? > > I really appreciate it, if you could reply me. > > Best regards > Chunxi
