Re: how to handle certificate chains

Tue, 12 Nov 2002 05:31:47 -0800 


hi
thanks a lot for the information u shared with me.

the problem i'm facing is that......i have server certificate signed by the
SubCA and SubCA's certificate signed by the
root CA..... and i just loaded server certificate in the server side using
SSl_CTX_use_certificate_chain_file()



and

i just loaded rootCA at the client side using
SSL_CTX_load_verify_locations() and SSL_CTX_set_verify_depth
i set the depth to 2. In this scenerio, the handshake is successful.

Pls let me know how did client accepted server certificate which is signed
by SubCA.

With Regards
Ajay Kumar




Lutz Jaenicke <[EMAIL PROTECTED]> on 11/12/2002 02:48:35 PM

Please respond to [EMAIL PROTECTED]

To:   [EMAIL PROTECTED]
cc:    (bcc: Ajay Kumar Kasam/HSSBLR)

Subject:  Re: how to handle certificate chains




On Tue, Nov 12, 2002 at 01:58:50PM +0530, [EMAIL PROTECTED] wrote:
> if we have scenerio where root CA gives certificates to SubCA which in
turn
> gives certifcates to our server.
> what all the server shud give in the handshake ( both the SubCA and
server
> certifcates or only server certificate or
> all the three rootCA , SubCA and server certificates.)
>
> what shud we load in the SSl_CTX_use_certificate_chain_file()
> and what shud load in the SSL_CTX_load_verify_locations() at the client
> side

The server MUST send server cert and SubCA cert, both to be specified
with the SSL_CTX_use_certificate_chain_file() function.
The server MAY send additionally the root CA cert. (I would recommend
to send it for completeness with respect to other people contacting
your server, but it is not required).

On the client side you only should load the rootCA cert with
SSL_CTX_load_verify_locations().

Best regards,
     Lutz
--
Lutz Jaenicke                             [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]






______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to