Re: Trust intermediate CA for client certificates

* Andrew Dunstan (andrew(at)dunslane(dot)net) wrote:
> But it does need to be signed by a trusted signatory. At least in my
> test script (pretty ugly, but shown below for completeness), the
> Intermediate CA cert is signed with the Root cert rather than being
> self-signed as the Root cert is, and so if the server doesn't have
> that root cert as a trusted cert the validation fails.

Ok, good, that's really how it "should" be. As a side-note, I'd be very
curious about a self-signed intermediate cert.. :)

> In case 1, we put the root CA cert on the server and append the
> intermediate CA cert to the client's cert. This succeeds. In case 2,
> we put the intermediate CA cert on the server without the root CA's
> cert, and use the bare client cert. This fails. In case 3, we put
> both the root and the intermediate certs in the server's root.crt,
> and use the bare client key, and as expected this succeeds.

Excellent, that's really how it ought to be and I'm glad you had a
chance to test and verify it.

> So the idea that you can just plonk any Intermediate CA cert in
> root.crt and have all keys it signs validated is not true, AFAICT.

I'm afraid it may have been true once, a while back, but we fixed it.

Thanks!

Stephen