certificate chains and verification requirements

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

certificate chains and verification requirements

Sudarshan Raghavan
Hello OpenSSL users,

I have this certificate chain, root ca -> intermediate ca 1 -> intermediate ca 2 -> leaf certificate. With this chain, I attempted combinations of openssl verify commands to understand how it works with certificate chains.

1. openssl verify -CAfile <chain containing certificates of intermediate ca 2, intermediate ca 1 and root ca in that order> <leaf certificate>. This verifies ok as expected.
2. openssl verify -CAfile <same ca chain as in 1> <chain containing leaf, intermediate ca 2, intermediate ca 1 and root ca in that order>. This verifies ok as expected.
3. openssl verify -CAfile <root ca> <chain containing leaf, intermediate ca 2, intermediate ca 1 and root ca in that order>. This fails with this error

"error 20 at 0 depth lookup: unable to get local issuer certificate
error leafchain.pem: verification failed"

I understand the reason for this is, the issuer of leaf certificate (intermediate ca 2) is not part of the trusted chain. But, the leaf chain has all the certificates to root ca and root ca is the trusted CA I am verifying against. I thought this would verify ok but, I am clearly wrong. I can pass in the intermediate ca certificates using -untrusted option and it will work. But, I was stumped by 3 and I am curious to know if there is a document or rfc section explaining the behaviour. I have been trying to search for something and I am clearly doing a bad job of it cause I have not been able to find any.

Regards,
Sudarshan

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: certificate chains and verification requirements

Viktor Dukhovni

> On Aug 13, 2017, at 11:39 AM, Sudarshan Raghavan <[hidden email]> wrote:
>
> 3. openssl verify -CAfile <root ca> <chain containing leaf, intermediate ca 2, intermediate ca 1 and root ca in that order>. This fails with this error
>
> "error 20 at 0 depth lookup: unable to get local issuer certificate
> error leafchain.pem: verification failed"
>
> I understand the reason for this is, the issuer of leaf certificate (intermediate ca 2) is not part of the trusted chain.

Actually, that's not the reason.  The positional [certificates]
arguments to verify(1) are not "chains".  Only the first (leaf)
certificate of each of the argument files is processed.

To import additional chain elements use the [-untrusted file]
argument to provide additional untrusted certificates with
which to build the chain.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: certificate chains and verification requirements

Sudarshan Raghavan
>> Actually, that's not the reason.  The positional [certificates]
>> arguments to verify(1) are not "chains".  Only the first (leaf)
>> certificate of each of the argument files is processed.

Ok, that makes sense. Thanks for the update. I was trying this experiment to understand a client authentication failure in a similar scenario. I can now look at the code to figure out what is going on.

Regards,
Sudarshan

On Sun, Aug 13, 2017 at 9:49 AM, Viktor Dukhovni <[hidden email]> wrote:

> On Aug 13, 2017, at 11:39 AM, Sudarshan Raghavan <[hidden email]> wrote:
>
> 3. openssl verify -CAfile <root ca> <chain containing leaf, intermediate ca 2, intermediate ca 1 and root ca in that order>. This fails with this error
>
> "error 20 at 0 depth lookup: unable to get local issuer certificate
> error leafchain.pem: verification failed"
>
> I understand the reason for this is, the issuer of leaf certificate (intermediate ca 2) is not part of the trusted chain.

Actually, that's not the reason.  The positional [certificates]
arguments to verify(1) are not "chains".  Only the first (leaf)
certificate of each of the argument files is processed.

To import additional chain elements use the [-untrusted file]
argument to provide additional untrusted certificates with
which to build the chain.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users