On Wed, Nov 10, 2010 at 10:10:48PM +0000, Dimitrios Siganos wrote:
> Hi,
>
> Is there a way to instruct openssl to treat an intermediate CA as a
> trusted CA, which need not have its issuer checked i.e. it will be the
> last certificate of the certificate chain.
>
> It seems that openssl insists on always terminating a chain at a
> self-signed certificate. However, in this case, we want to limit
> ourselves in a sub-tree of the CA and not expose ourselves to other
> branches of the hierarchy that are not relevant to us. We have no
> control over the generation of the certificates and we can't solve the
> problem by restructuring or recreating the CA hierarchy.
You typicall have control of certificate chain verification via
verification callbacks (at least in SSL). You can insist that the
intermediate certificate in question be present in the trust chain.
> A is a self-signed root CA (root ca)
> B is a sub CA signed by A. (intermediate ca)
> C is a server certificate signed by B. (server certificate)
>
> A -> B -> C
>
> We would like to treat B as the end of the chain and never install A
> anywhere. As far as our setup is concerned, B is the root CA, it just
> happens to not be self-signed.
You can turn the can't find local issuer error for B, into an
OK in the verification callback by specifically whitelisting
the the fingerprint of B, or finding B in a suitable store.
> We want to be able to connect a client, which trusts 'B', to a server
> that only has 'C'. 'A' should not enter the picture at all.
>
> What is the correct way to achieve this with openssl?
If you are coding the SSL client, you can customize the verification
callbacks. The default verification callbacks check for a trusted
self-signed root. This may be easier if the server presents "B+C",
not just "C" as its cert chain.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
