Retrieving Root CA certificate using "openssl s_client -showcerts" command

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Retrieving Root CA certificate using "openssl s_client -showcerts" command

Mofassir Ul Haque
Hi All,
 
The output of "openssl s_client -showcerts -connect ......." command dose not include Root certificate (which is expected behaviour). However, is it possible to configure Server to return Root CA certificate also ?
 
Thanks,

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: (SPAM) Retrieving Root CA certificate using "openssl s_client -showcerts" command

Erwann Abalea-4
Bonjour,

The root certificate is not expected to be sent by the server, as it already needs to be known and trusted by the client.
However, you’re free to configure your server to send it, for debugging or informational purposes.

Cordialement,
Erwann Abalea

Le 8 nov. 2016 à 03:36, Mofassir Ul Haque <[hidden email]> a écrit :

Hi All,
 
The output of "openssl s_client -showcerts -connect ......." command dose not include Root certificate (which is expected behaviour). However, is it possible to configure Server to return Root CA certificate also ?
 
Thanks,


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Retrieving Root CA certificate using "openssl s_client -showcerts" command

Salz, Rich
In reply to this post by Mofassir Ul Haque

Yes, just put the entire chain in the server’s PEM file.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: (SPAM) Retrieving Root CA certificate using "openssl s_client -showcerts" command

Viktor Dukhovni
In reply to this post by Erwann Abalea-4

> On Nov 8, 2016, at 4:26 AM, Erwann Abalea <[hidden email]> wrote:
>
> The root certificate is not expected to be sent by the server, as it already needs to be known and trusted by the client.
> However, you’re free to configure your server to send it, for debugging or informational purposes.

A root CA certificate MUST be sent when the server's DANE-TA(2)
TLSA record designates that root as a trust-anchor.

        https://tools.ietf.org/html/rfc7671#section-5.2

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Retrieving Root CA certificate using "openssl s_client -showcerts" command

OpenSSL - User mailing list
In reply to this post by Salz, Rich
Hi Salz,

Thanks for your reply and clarification.

Best Regards,

Mofassir


On Wednesday, 9 November 2016 1:48 AM, "Salz, Rich" <[hidden email]> wrote:


Yes, just put the entire chain in the server’s PEM file.



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users