on 2017 Apr 18 7:30 AM
I'm stumbling over the following sentence from the v17 docs on the CREATE PROCEDURE statement (web client):
To make a secure (HTTPS) request, a client must have access to the certificate used to sign the HTTP server's certificate (or any certificate higher in the signing chain).
What does the " (or any certificate higher in the signing chain)" part mean?
Say, I have the following self-signed certificate chain:
The certificates of the CA and the Root CA contain the "Certificate Signing" attribute.
In my tests with a simple web client procedure, I seem to need to specify the 3. certificate (Root CA) to get a successful HTTPS connection, i.e. something like
create or replace procedure WSP_TestResource(in strURL varchar(2000)) result( Attribut long varchar,Wert long varchar ) url '!strURL' type 'HTTP:GET' certificate 'file=C:\\\\MyCertStore\\\\MyRootCA.crt'; call WSP_TestResource('https://MyServer/MyService');
If I use a PEM file with the web server and/or CA certificate without containing the Root CA, the call fails.
(Aside: With v17, "certificate 'file=*'" also works, as the OS cert store contains the Root CA certificate.)
So does that mean the " (or any certificate higher in the signing chain)." phrase actually means "the root CA certificate of the CA that issued the web server certificate"?
Note: The question is focussed on v17 and v12/v16 after the switch to OpenSSL...
(Another aside: The question was also inherently asked in that other FAQ...)
The docs are incorrect. They were probably written when we used the Certicom cryptographic library, where this was true - you could specify certificate #2 or #3 in the list above as the trusted certificate. With OpenSSL, you need to trust the root certificate (#3).
I listed it as "higher" in the chain just because I would have listed the certificates in the opposite order - root, then CA cert, then web server cert. I'd probably order them that way because that's the order they'd have to be created in. But they appear in the file in the order Volker listed above.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
66 | |
10 | |
10 | |
10 | |
10 | |
8 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.