Certificate chain validation

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Certificate chain validation

Lei Kong

When validating a certificate issued by an intermediate certificate authority, I noticed that I need to install both the root and the intermediate CA certificate locally (with update-ca-certificates on ubuntu 16.04). Verification fails if only root CA cert is installed (intermediate is not installed), is this expected behavior? Why do I need to install intermediate CA cert locally? Locally installed root CA cert is not enough to validate intermediate CA cert?

 

Is it possible to make chain validation work with only root CA cert installed locally?

 

Thanks.

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Certificate chain validation

Jakob Bohm-7
On 21/04/2017 03:37, Lei Kong wrote:
>
> When validating a certificate issued by an intermediate certificate
> authority, I noticed that I need to install both the root and the
> intermediate CA certificate locally (with update-ca-certificates on
> ubuntu 16.04). Verification fails if only root CA cert is installed
> (intermediate is not installed), is this expected behavior? Why do I
> need to install intermediate CA cert locally? Locally installed root
> CA cert is not enough to validate intermediate CA cert?
>
This is only necessary if the other end of the connection
(incorrectly) forgets to include the intermediate in the
certificate bundle sent with the data or protocol exchange.

> Is it possible to make chain validation work with only root CA cert
> installed locally?
>
Yes, if the other end is not misconfigured and you pass the
received certificate bundle to the appropriate validation
related function as a list of untrusted additional certificates,
which the certificate verification code can search for needed
intermediate certificates.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Certificate chain validation

OpenSSL - User mailing list
In reply to this post by Lei Kong

No, you must have a chain up to a local trust anchor.

 

You can install the intermediate in your trust store.

 

-- 

Senior Architect, Akamai Technologies

Member, OpenSSL Dev Team

IM: [hidden email] Twitter: RichSalz

 

From: Lei Kong [mailto:[hidden email]]
Sent: Thursday, April 20, 2017 9:38 PM
To: [hidden email]
Subject: [openssl-users] Certificate chain validation

 

When validating a certificate issued by an intermediate certificate authority, I noticed that I need to install both the root and the intermediate CA certificate locally (with update-ca-certificates on ubuntu 16.04). Verification fails if only root CA cert is installed (intermediate is not installed), is this expected behavior? Why do I need to install intermediate CA cert locally? Locally installed root CA cert is not enough to validate intermediate CA cert?

 

Is it possible to make chain validation work with only root CA cert installed locally?

 

Thanks.

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Certificate chain validation

Lei Kong
In reply to this post by Jakob Bohm-7

Right on!

I think it is indeed an issue of partial chain on the loading side.

 

As a related question, on the loading side, do I need to provide the whole chain to SSL_CTX_use_certificate?

If intermediate CA certificate is installed into default locations like /ets/ssl/certs, and only end certificate is passed to SSL_CTX_use_certificate, will openssl search the default locations to build a complete chain before sending it to the remote side?

 

Thanks.

 

From: [hidden email]
Sent: Friday, April 21, 2017 5:10 AM
To: [hidden email]
Subject: Re: [openssl-users] Certificate chain validation

 

On 21/04/2017 03:37, Lei Kong wrote:
>
> When validating a certificate issued by an intermediate certificate
> authority, I noticed that I need to install both the root and the
> intermediate CA certificate locally (with update-ca-certificates on
> ubuntu 16.04). Verification fails if only root CA cert is installed
> (intermediate is not installed), is this expected behavior? Why do I
> need to install intermediate CA cert locally? Locally installed root
> CA cert is not enough to validate intermediate CA cert?
>
This is only necessary if the other end of the connection
(incorrectly) forgets to include the intermediate in the
certificate bundle sent with the data or protocol exchange.

> Is it possible to make chain validation work with only root CA cert
> installed locally?
>
Yes, if the other end is not misconfigured and you pass the
received certificate bundle to the appropriate validation
related function as a list of untrusted additional certificates,
which the certificate verification code can search for needed
intermediate certificates.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Certificate chain validation

Lei Kong

According to https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_add_extra_chain_cert.html, openssl will search the default locations for chain building:

 

If no chain is specified, the library will try to complete the chain from the available CA certificates in the trusted CA storage, see SSL_CTX_load_verify_locations.

 

From: [hidden email]
Sent: Friday, April 21, 2017 2:10 PM
To: [hidden email]
Subject: RE: [openssl-users] Certificate chain validation

 

Right on!

I think it is indeed an issue of partial chain on the loading side.

 

As a related question, on the loading side, do I need to provide the whole chain to SSL_CTX_use_certificate?

If intermediate CA certificate is installed into default locations like /ets/ssl/certs, and only end certificate is passed to SSL_CTX_use_certificate, will openssl search the default locations to build a complete chain before sending it to the remote side?

 

Thanks.

 

From: [hidden email]
Sent: Friday, April 21, 2017 5:10 AM
To: [hidden email]
Subject: Re: [openssl-users] Certificate chain validation

 

On 21/04/2017 03:37, Lei Kong wrote:
>
> When validating a certificate issued by an intermediate certificate
> authority, I noticed that I need to install both the root and the
> intermediate CA certificate locally (with update-ca-certificates on
> ubuntu 16.04). Verification fails if only root CA cert is installed
> (intermediate is not installed), is this expected behavior? Why do I
> need to install intermediate CA cert locally? Locally installed root
> CA cert is not enough to validate intermediate CA cert?
>
This is only necessary if the other end of the connection
(incorrectly) forgets to include the intermediate in the
certificate bundle sent with the data or protocol exchange.

> Is it possible to make chain validation work with only root CA cert
> installed locally?
>
Yes, if the other end is not misconfigured and you pass the
received certificate bundle to the appropriate validation
related function as a list of untrusted additional certificates,
which the certificate verification code can search for needed
intermediate certificates.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

 

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Certificate chain validation

OpenSSL - User mailing list

You are asking two different questions.

 

The certificates that the *client* sends are specified by the various “use certficiate” API’s.  No chain is built.  See doc/man3/SSL_CTX_use_certificate.pod, especially the “use certificate chain file” API.

 

As for what the *server* does, it tries to use what the client sends and build a chain up to one of the certificates that is in the local, server, trust store.

 

The API’s are a bit different for 1.0.2 than for 1.1.0


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Certificate chain validation

Lei Kong

https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_use_certificate.html

https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_add_extra_chain_cert.html

 

The linked documents didn’t say the APIs must be called on *client* side, and it works fine in my code on both client and server side.

I am under the impression that there is no asymmetry in terms of *sending* side chain building for client and server side, what you said below means client side always sends *partial* chain to server side?

 

Thanks.

 

From: [hidden email]
Sent: Friday, April 21, 2017 3:37 PM
To: [hidden email]
Subject: Re: [openssl-users] Certificate chain validation

 

You are asking two different questions.

 

The certificates that the *client* sends are specified by the various “use certficiate” API’s.  No chain is built.  See doc/man3/SSL_CTX_use_certificate.pod, especially the “use certificate chain file” API.

 

As for what the *server* does, it tries to use what the client sends and build a chain up to one of the certificates that is in the local, server, trust store.

 

The API’s are a bit different for 1.0.2 than for 1.1.0

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Loading...