Hi, the fact is a server can only send a single certificate, however this one can be signed by multiple CAs on the other side, a client have (in general) a list of trusted CAs, not a single one
so there are two options : - either each client knows the two CAs, then the server can send a certificate signed by any of them - or each client knows only about its own CA, then the server must send a certificate signed by both CAs (note that this is symmetrical, the server verify client certificate the same way) I've never heard about a server with multiple certificates, at least not with SSL/TLS protocols... concerning the list of trusted CAs sent by the server to the client, it comes from the fact that a client can have multiple certificates, for different servers that can use their own CA so it allows a client to choose the good certificate to send to a specific server concerning the server, if it's in public access it uses a certificate issued by a "well-known" CA (for example one included in your browser) if it's "private", it can use its own CA or even a self-signed certificate, and the client has to recover the trusted certificates by itself (this happens the first time you connect to a SSH server for which you have no certificate, or on some websites) hope I made it clear good luck! ----- Mail d'origine ----- De: Hafedh TRIMECHE <hafedh.trime...@gmail.com> À: openssl-users@openssl.org Envoyé: Fri, 13 Jun 2014 10:22:46 +0200 (CEST) Objet: Re: Re : Re: Re : Re: 2 Server certificates Hi Nicolas, pit-ca issued another certificate to a client wanting to connect to the same server identified by secure.payerspot.com. I'm looking for a solution allowing two clients to connect to the same server using certificates issued by different CAs. In this case the client forces the server verification by requesting its certificate. So the two server certificates must be sent to each client . Cetificate chain1 (issued by CA1) 0 s: i: ----BEGIN CERTIFICATE----- -----END CERTIFICATE----- Cetificate chain2 (issued by CA2) 0 s: i: ----BEGIN CERTIFICATE----- -----END CERTIFICATE----- Can two certificates be presented to a client which will identify the chained certificate to be verified ? Regards. -- View this message in context: http://openssl.6102.n7.nabble.com/2-Server-certificates-tp50872p50937.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
