> From: owner-openssl-us...@openssl.org On Behalf Of David Coulson > Sent: Wednesday, 30 March, 2011 10:24
> On 3/30/11 8:33 AM, Crypto Sal wrote: > > David: > > > > Firefox caches that information, so that it can use them > later if you > > view a similar certificate hierarchy. > > > > If you view the Firefox Certificate Manager you should see > "Software > > Security Device" vs. that of "Built in Object" next to each of the > > certificates in question outside of the Entrust Root CA, > which should > > say 'Built In...'. > Understood - Is there a way to mimic this functionality with > OpenSSL via > CAfile or CApath? So far not having much luck doing that. I > pretty much > want to put the root & intermediate CA files somewhere and have my > s_client test utilize those for chaining, rather than what the web > server sends over. > As the manpage says. For s_client: -CAfile with one PEM file containing all needed certs, or -CApath with a directory containing each cert in its own PEM file linked as, or directly named, a hash of the (canonical) subject. On Unix opensslinstall/bin/c_rehash should do this for you; on Windows I don't have any easy way and just prefer -CAfile. For your own app, call SSL_[CTX_]load_verify_locations with the same argument values (derived however you like). But one thing that isn't stressed: openssl insists on verifying up to a root always. Even if an intermediate cert is in the truststore that isn't enough to verify the chain. And I don't think openssl will use the store to *override* what the server sends. It will *add* *missing* ones. Normally this shouldn't matter, because a given cert must always be the same; if altered, it's no longer valid. But when I looked briefly before at the s_client output and site you posted, there appeared to be two *different* certs for "Digicert High Assurance EV Root CA" -- same pubkey and SKID, but different validity and issuer/serial (at least). I'm not sure why, but look carefully at what/which you get. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
