Add root CA to chain

Question

Add root CA to chain

dbiazus opened this issue 9 years ago · 4 comments

Hi,

I was wondering if would be possible/useful to add the root CA to the chain, in order to configure ssl stapling chains on Nginx and Apache httpd.

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate

If You guys agree with that, We can submit a PR with this feature.

Thanks and Best Regards,

Daniel Biazus

Answer 1 · 2016-05-05T18:51:27.000Z

Currently only certs from AIA chain are concatenated to the cert bundle. CA certs are not included intentionally, because they are provided by the system trusted store.

For stapling, according to http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling you don't need to set ssl_trusted_certificate, if your cert bundle contains intermediate certs.

Answer 2 · 2016-05-11T16:05:07.000Z

Hi,

All right, I understood the reason the root CA was not included, I just thought would be nice to add an option to fetch the CAs.

Regarding the OCSP Stapling, We do need the root CA configured on ssl_trusted_certificate to make it work as expected, at least on Nginx.

Let me know if You change your mind, if so, We can submit this feature.

Thanks

Answer 3 · 2016-05-15T07:18:13.000Z

Ok, an optional flag such as --include-system could do the work. We can use result certs from https://golang.org/pkg/crypto/x509/#Certificate.Verify.

I will be happy to accept a PR.

Answer 4 · 2016-05-25T20:58:32.000Z

Fixed in #16.