OT: SSL certificate chain problems

Peter Gutmann pgut001 at cs.auckland.ac.nz
Fri Jan 26 01:06:00 EST 2007

Victor Duchovni <Victor.Duchovni at MorganStanley.com> writes:

>Generally it is enough for a TLS server or client to present its own
>certificate and all *intermediate* CA certificates, sending the root CA cert
>is optional, because if the verifying system trusts the root CA in question,
>it has a local copy of that root CA cert. 

In some cases it may be useful to send the entire chain, one such being when a
CA re-issues its root with a new expiry date, as Verisign did when its roots
expired in December 1999.  The old root can be used to verify the new root.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list