> -----Original Message----- > From: Patrick Patterson > > On 12/02/10 8:51 AM, skillz...@gmail.com wrote: > > Is there a way (via the API rather than the tool) to tell > OpenSSL that > > the sub-CA certificate is trusted and it doesn't need to > walk further > > up the chain? For my case, I embed the sub-CA certificate in my code > > and I'm space constrained so I'd prefer to not include the entire > > certificate chain. > > According to RFC5280 this is not allowed (See section 6). > Given that if > the Root revokes the Sub-CA, the EE cert is invalid, you have to check > the entire chain to ensure that all parts are still valid. As a rule, > you can only use self-signed certificates as trust anchors.
This is not true. You only have to do path validation up to your trust anchor, whatever that is, be it a root-ca, an subordinate-ca or even an ee. Only if you check for revocation you have to walk up the whole chain from ee to root-ca. Unfortunately, the perceived verification algorithm is a limitation in openssl, which always wants to do path validation up to a self signed cert, even if no revocation checking is requested. And no, there's no way to modify its verification algorithm besides from changing the code. This also has consequences for applications using openssl for ssl support like apache, where you can not easily configure to authenticate only those clients presenting a cert that was issued by a specific subordinate-ca. Patrick Eisenacher Besuchen Sie die Bundesdruckerei auf der CeBIT 2010 vom 2.-6.3.2010, Halle 9, Stand D80 Visit Bundesdruckerei at CeBIT, exhibition centre, hall 9 / stand D80 weitere Informationen unter: http://www.bundesdruckerei.de/de/unternehmen/untern_cebit2010/index.html find more information here http://www.bundesdruckerei.de/en/company/comp_cebit2010/index.html ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
