Thank you both for your very helpful replies.Now i have tested a so called valid subCA. In my root CA and subCA configuration files(seperate configuration files) i have basic constraints set to "CA:True" exactly the same as the root certificate. But when i loaded my subCA which was signed by my root CA it gave a certificate chain error. A valid subCA signed by a valid root CA cannot be trusted as far as i can see. Or maybe i misunderstood?.
"Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote:
"Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote:
On Fri, Mar 17, 2006, Olaf Gellert wrote:
> Dr. Stephen Henson wrote:
> > On Fri, Mar 17, 2006, michael Dorrian wrote:
> >
> >> 1. Can a CA signed by the root CA act as a trusted CA itself?.
> >
> > Provided the root CA permits this...
>
> Actually I think: not. It seems to be impossible
> to evaluate a certificate only up to a subCA,
> openssl always requires the complete chain up to
> the root CA. So I cannot tell openssl "this is a
> trusted subordinate CA, that's enough."
>
That's not actually what I meant. I meant that a valid subCA signed by a
trusted root CA is itself trusted.
There is a mechanism to restrict trust to explicit chains in S/MIME but not
currently in SSL.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Yahoo! Travel
Find great deals to the top 10 hottest destinations!
