OT: SSL certificate chain problems
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Fri Jan 26 01:06:00 EST 2007
Victor Duchovni <Victor.Duchovni at MorganStanley.com> writes:
>Generally it is enough for a TLS server or client to present its own
>certificate and all *intermediate* CA certificates, sending the root CA cert
>is optional, because if the verifying system trusts the root CA in question,
>it has a local copy of that root CA cert.
In some cases it may be useful to send the entire chain, one such being when a
CA re-issues its root with a new expiry date, as Verisign did when its roots
expired in December 1999. The old root can be used to verify the new root.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list