On 03/09/2013 10:40 AM, Kyle Hamilton wrote: > Create a new self-signed client CA certificate with the same key and > Subject, setting the Issuer to the Subject of the client CA, and signed > with the client CA private key. Use this as your client-authenticatior > "root".
Well yes. I know I could workaround this by creating a self-signed root for the clients. The point of the question is how to do this with a hierarchy like the one I've described. It's becoming pretty clear that OpenSSL doesn't provide a simple way to do this today. (X509_V_FLAG_PARTIAL_CHAIN will probably enable this, but it will be years before that makes its way into slower moving distributions.) > Alternatively, you might play around with policies, but that relies on > your hierarchy already having policies in its certificates. My current thinking is that I should be able to do it with a validation callback. I haven't worked out the details yet. -- ======================================================================== Ian Pilcher arequip...@gmail.com Sometimes there's nothing left to do but crash and burn...or die trying. ======================================================================== ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org