Re: Intermediate Certificate

[Derek Diget <derek.diget+educause-security () WMICH EDU>]

On Sep 9, 2010 at 13:43 -0700, Alex Keller wrote:
=>>Maybe in a year or so, all the mainstream OS's, browsers, email
=>>clients, etc, will catch up and include the entire chain by default 
=>>and these certs will just work automatically.
=>
=>i don't think this is the plan. from what i understand the idea behind
=>the intermediary certificates is to provide some protection against the
=>risk of a CA root certificate compromise. moreover, the browser
=>developers are going to have little interest in including and keeping
=>track of the thousands (millions?) of intermediary certs.

I don't have a nice easy page showing this, but my understanding is that 
you should only need to install the intermediate certificate on the 
SERVER.  I have seen it mentioned on several of CA's docs and watching a 
"stunnel s_client" connection the server sends the CA root, CA 
intermediate(s), and site certificate to the client.  The client is then 
suppose to walk this certificate signing hierarchy back up until it finds 
a certificate in it's certificate store.  If it gets to the top 
without finding one, then it is considered a self-signed/untrusted 
certificate.

I think the problem with intermediate certificate acceptance is that not 
all clients are doing the hierarchy traversal correctly, or that the 
server is not sending the complete certificate hierarchy to the client.



Disclaimer: I am not a SSL/TLS expert and only deal with them when I 
have to install a new/renewed one on my servers so I may have this all 
wrong. :)

-- 
***********************************************************************
Derek Diget                            Office of Information Technology
Western Michigan University - Kalamazoo  Michigan  USA - www.wmich.edu/
***********************************************************************