hi thanks a lot for the information u shared with me.
the problem i'm facing is that......i have server certificate signed by the SubCA and SubCA's certificate signed by the root CA..... and i just loaded server certificate in the server side using SSl_CTX_use_certificate_chain_file() and i just loaded rootCA at the client side using SSL_CTX_load_verify_locations() and SSL_CTX_set_verify_depth i set the depth to 2. In this scenerio, the handshake is successful. Pls let me know how did client accepted server certificate which is signed by SubCA. With Regards Ajay Kumar Lutz Jaenicke <[EMAIL PROTECTED]> on 11/12/2002 02:48:35 PM Please respond to [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc: (bcc: Ajay Kumar Kasam/HSSBLR) Subject: Re: how to handle certificate chains On Tue, Nov 12, 2002 at 01:58:50PM +0530, [EMAIL PROTECTED] wrote: > if we have scenerio where root CA gives certificates to SubCA which in turn > gives certifcates to our server. > what all the server shud give in the handshake ( both the SubCA and server > certifcates or only server certificate or > all the three rootCA , SubCA and server certificates.) > > what shud we load in the SSl_CTX_use_certificate_chain_file() > and what shud load in the SSL_CTX_load_verify_locations() at the client > side The server MUST send server cert and SubCA cert, both to be specified with the SSL_CTX_use_certificate_chain_file() function. The server MAY send additionally the root CA cert. (I would recommend to send it for completeness with respect to other people contacting your server, but it is not required). On the client side you only should load the rootCA cert with SSL_CTX_load_verify_locations(). Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]