Trust self signed strategy does not.

[Gary Gregory <ga...@gmail.com>]

Hi All,

I just saw a case at work where we have a server that dishes out a cert
chain with three certificates, one of which is self signed. Our trust self
signed strategy just checks that the chain length is 1.

I am not familiar enough with the cert chain guts to know if there is a
better way to do this.

Gary

Re: Trust self signed strategy does not.

[Oleg Kalnichevski <ol...@apache.org>]

On Fri, 2017-08-25 at 10:55 -0600, Gary Gregory wrote:
> Hi All,
> 
> I just saw a case at work where we have a server that dishes out a
> cert
> chain with three certificates, one of which is self signed. Our trust
> self
> signed strategy just checks that the chain length is 1.
> 
> I am not familiar enough with the cert chain guts to know if there is
> a
> better way to do this.
> 
> Gary

Gary


My understanding that a self-signed certificate is the one that has
been only signed by itself and therefore its cert chain consists of one
 cert only - itself. 

As far as I understand all root CA certs are effectively self signed.
So, there is always a self-signed cert at the end of the cert chain.

Oleg 

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org