Educause Security Discussion mailing list archives
Re: Intermediate Certificate
From: Derek Diget <derek.diget+educause-security () WMICH EDU>
Date: Fri, 10 Sep 2010 09:50:16 -0400
On Sep 9, 2010 at 13:43 -0700, Alex Keller wrote: =>>Maybe in a year or so, all the mainstream OS's, browsers, email =>>clients, etc, will catch up and include the entire chain by default =>>and these certs will just work automatically. => =>i don't think this is the plan. from what i understand the idea behind =>the intermediary certificates is to provide some protection against the =>risk of a CA root certificate compromise. moreover, the browser =>developers are going to have little interest in including and keeping =>track of the thousands (millions?) of intermediary certs. I don't have a nice easy page showing this, but my understanding is that you should only need to install the intermediate certificate on the SERVER. I have seen it mentioned on several of CA's docs and watching a "stunnel s_client" connection the server sends the CA root, CA intermediate(s), and site certificate to the client. The client is then suppose to walk this certificate signing hierarchy back up until it finds a certificate in it's certificate store. If it gets to the top without finding one, then it is considered a self-signed/untrusted certificate. I think the problem with intermediate certificate acceptance is that not all clients are doing the hierarchy traversal correctly, or that the server is not sending the complete certificate hierarchy to the client. Disclaimer: I am not a SSL/TLS expert and only deal with them when I have to install a new/renewed one on my servers so I may have this all wrong. :) -- *********************************************************************** Derek Diget Office of Information Technology Western Michigan University - Kalamazoo Michigan USA - www.wmich.edu/ ***********************************************************************
Current thread:
- Intermediate Certificate Nate Johnson (Sep 09)
- Re: Intermediate Certificate Alex Keller (Sep 09)
- Certificates John Kaftan (Sep 09)
- Re: Certificates Alex Keller (Sep 09)
- Re: Certificates Michael Johnson (Sep 09)
- Re: Certificates Mark Montague (Sep 09)
- Re: Certificates Flynn, Gary - flynngn (Sep 10)
- Certificates John Kaftan (Sep 09)
- Re: Certificates Jack Suess (Sep 09)
- Re: Intermediate Certificate Alex Keller (Sep 09)