Sigh. Well, I added the intermediate CA to the cert chain sent by my proxy (and verified this with wireshark).
OpenSSL s_client -CAfile cacert.pem -host login.yahoo.com -port 443 works and shows the trust chain. But, Firefox, with cacert.pem loaded into it's trust store still complains. :-( -----Original Message----- From: Rene Hollan Sent: Thursday, March 12, 2009 5:39 PM To: 'openssl-users@openssl.org' Subject: RE: Can't recognize intermediate CA Yup. That fixed it.. At least as far as openssl verify -CAfile cacert.pem -untrusted intcert2.pem yahoo-x.pem goes. Oddly, firefox still rejects the end cert, even though both cacert.pem and intcert2.pem are in it's trust store. Is it possible that browsers actually ignore intermediate CA certs in their trust store and expect servers to provide them? That's the next thing for me to try (if only I can remember how to do that with openssl... :-)). -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Thursday, March 12, 2009 4:23 PM To: openssl-users@openssl.org Subject: Re: Can't recognize intermediate CA If it's any consolation you aren't alone with that, it gets commented on quite often so much so in fact that it has an FAQ entry: http://www.openssl.org/support/faq.html#USER15 You can just leave out the issuer+serial number combination from AKID too. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
