On 12.01.2012 19:23, Michael S. Zick wrote: > On Thu January 12 2012, Johannes Bauer wrote: >> Hello group, >> >> I have a question regarding the verify method of OpenSSL: If I have a >> certificate chain >> >> Root -> A -> B -> Leaf >> >> where "Leaf" is the certificate of a webserver (https) and Root is a >> self-signed certificate. >> >> In this scenario, is it valid for the webserver to provide only A/B/Leaf >> and omit "Root" during the SSL handshake? I'm seeing strange errors and >> noticed that a webserver of ours is configured in that manner (and it >> seems odd to me). >> > It is a "third party" verification system that is used. > How could you trust the server to tell you itself who it is?
I can trust the webserver because the signature of it's certificate was verifiably created by the intermediate CA (which I trust and who's certificate the client has in its trust store). > Thus, the need for obtaining the root certificate some way > other than having it sent by the server in question. > > And yes, 'root' certificates are self-signed, > signed by an 'independent' third party in the business > of being trusted for that purpose. Well, the thing is: Having them self-signed is not necessary for security purposes. It apparently is what OpenSSL requires. > Which in this post, the 'trusted third party' seems to be > your own network admin (which may be yourself ;-) ) Well, I'm just part of the big picture ;-) Best regards, Joe ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org