Finding Issuer Certificates

When looking for an issuer certificate, two possible sources may be consulted: trusted and untrusted certificates. Trusted certificates are ones the local client (Vortex) or local server (Texis Monitor) explicitly trusts: just the ones listed in sslcacertificatefile or SSL CA Certificate File. Untrusted certificates are ones obtained from the peer - the peer certificate and peer-provided chain certificates (if any).

Which of the sources are used depends on where the subject certificate (the one whose issuer is being looked up) was itself found. If the subject certificate was from the peer, then untrusted certificates will be searched first, and if the issuer is not found there, trusted certificates will then be searched. However, if the subject certificate was from the trusted certificates, only trusted certificates will be searched for the issuer. I.e. an untrusted (peer) certificate will never be used as an issuer of a trusted certificate.

This search difference can also result in slightly variant errors for a missing issuer certificate, depending on where the subject certificate is from. The error "unable to get issuer certificate" results if the subject certificate (whose issuer cannot be found) was a trusted certificate. However, "unable to get local issuer certificate" results if the subject certificate was an untrusted peer certificate. This message difference may be an aid in tracking down the error cause, as it enables the subject certificate's source to be inferred.

Note also that a peer certificate's entire chain must be completed, through its root, for it to pass verification - regardless of whether the peer certificate itself, or an intermediate certificate in its chain, is trusted.


Copyright © Thunderstone Software     Last updated: Sep 25 2019
Copyright © 2019 Thunderstone Software LLC. All rights reserved.