server SSL Certificate validation

cn flag

This may seem rather trivial, but Im' not good with tls.

I have an openvpn server that does mutual tls auth.

my vpn client has a ca.crt file of:

root CA
intermediate CA
issuing CA

my server has a server.crt of:

server certificate # which is signed by the above "issuing CA"

However, if on my vpn client I remove the "issuing CA" and "intermediate CA" from ca.crt, my vpn client still validates the server.crt just fine.

if on my vpn client I put an invalid invalid "root CA" in my ca.crt, then auth fails.

I'm confused as to how I can remove the "issuing CA" and "intermediate CA" from my vpn client's ca.crt and it is still able to validate the server.crt, as the cert that signed the server.crt, "issuing ca", is no longer in my vpn client's ca.crt.

cn flag
Each certificate contains the information where the certificate may be validated. It is usually never necessary to supply the intermediate/root certificates.
sebastian avatar
cn flag
oh. does his information come from the Authority Information Access -> CA Issuers part of the certificate?
br flag

TLS mandates that the end-entity certificate is accompanied by all certificates required to build the chain, but not necessary the root, as that should be in the verifier's trust-anchor store. It is not an error to provide the root certificate, but verifiers ignore it as they only trust root certificates explicitly added to their trust-anchor store after being received by some other secure method.

The server should send its certificate, along with the intermediate CAs, which the client use to verify against the root it already holds. The intermediate CA certificates at the client end play no part in this.

Similarly, the client must send its certificate along with the intermediates to the server, which it verifies against the root CA certificate held in its trust-anchor store. The client must have the intermediate CA certificates available in order to do this.

In your scenario, removing the intermediates from the client end shouldn't affect how the client verifies the server certificate as the server should have sent those intermediates as part of the TLS handshake.

However, removing the root CA does affect verification as the client now doesn't have a trust-anchor against which to build and verify the certificate chain.

I sit in a Tesla and translated this thread with Ai:


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.