[Pki-devel] Best practice for cert chains
Nathan Kinder
nkinder at redhat.com
Tue Nov 27 18:49:15 UTC 2012
On 11/27/2012 10:08 AM, Rob Crittenden wrote:
> I need some help with best practice for a subordinate CA and
> distributing the CA certificate(s).
>
> If I have a root cert A, which issues a subordinate CA B, what does an
> SSL client need to trust in order to communicate with a server
> certificate issued by B? Does it only need to know about and trust B
> or does it need to know and trust A as well?
>
> I ask because I see different behavior in testing ldapsearch in RHEL-5
> (openSSL) and RHEL-6 (NSS).
>
> RHEL-5 requires the entire cert chain, RHEL-6 requires just the leaf.
>
> Currently IPA only distributes the IPA CA, not the rest of the chain.
> The answer will impact a CVE we're working on, so our need is urgent
> and the word is mum.
I just spoke with Bob about this. With NSS, you only need to explicitly
trust the subordinate CA cert (the IPA CA cert in your case).
Verification through the chain will stop at the first trusted cert in
the chain. There is no need to go further up the chain.
You could also only trust the root cert, which would work fine since NSS
would walk the chain and eventually find that the root is trusted (hence
the subordinate is trusted).
Bob believes that OpenSSL's verification should not be requiring you to
explicitly trust the whole chain.
-NGK
>
> thanks
>
> rob
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list