On 11/27/2012 10:08 AM, Rob Crittenden wrote:
I need some help with best practice for a subordinate CA and
distributing the CA certificate(s).
If I have a root cert A, which issues a subordinate CA B, what does an
SSL client need to trust in order to communicate with a server
certificate issued by B? Does it only need to know about and trust B
or does it need to know and trust A as well?
I ask because I see different behavior in testing ldapsearch in RHEL-5
(openSSL) and RHEL-6 (NSS).
RHEL-5 requires the entire cert chain, RHEL-6 requires just the leaf.
Currently IPA only distributes the IPA CA, not the rest of the chain.
The answer will impact a CVE we're working on, so our need is urgent
and the word is mum.
I just spoke with Bob about this. With NSS, you only need to
explicitly
trust the subordinate CA cert (the IPA CA cert in your case).
Verification through the chain will stop at the first trusted cert in
the chain. There is no need to go further up the chain.
You could also only trust the root cert, which would work fine since NSS
would walk the chain and eventually find that the root is trusted (hence
the subordinate is trusted).
Bob believes that OpenSSL's verification should not be requiring you to
explicitly trust the whole chain.
-NGK
thanks
rob
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel