The man page for "SSL_CTX_use_certificate_chain_file" states:
SSL_CTX_use_certificate_chain_file() loads a certificate chain from
file into ctx. The certificates must be in PEM format and must be
sorted starting with the certificate to the highest level (root CA).
There is no corresponding function working on a single SSL object.My PKI hierarchy consists of three layers, a self-signed root CA that is owned by the corporate security group, a sub-CA that is responsible for distributing end-user certificates, and end users who receive certificates from the sub-CA.
The server certificate is issued by the root CA.
User certificates are issued by the sub-CA.
The root certificate is loaded into the CTX using SSL_CTX_load_verify_locations() on both client and server applications.
Now comes the question:
o If I build a certificate chain file as described in the man page with all three certificates (user,sub-CA,root-CA), handshake fails.
o If a build a certificate chain file with only two certificates (user,sub-CA), handshake succeeds.
Why? Is this a bug? Or is there something more subtle going on?
smime.p7s
Description: S/MIME cryptographic signature
