11

What does the Acceptable client certificate CA names line mean in OpenSSL? When I connect via OpenSSL I can see the server certificate and Acceptable client certificate CA names that's listing various root CA.

Alexandre Neukirchen
  • 193
  • 2
  • 4
  • 16
cyzczy
  • 1,578
  • 5
  • 23
  • 42

1 Answers1

7

This is the list of certificate authorities which are accepted by the server as issuer for the client certificate. The client can use this list to select the appropriate client certificate. See RFC 5246 (TLS 1.2) section 7.4.4:

certificate_authorities
A list of the distinguished names [X501] of acceptable certificate_authorities ... may specify a desired distinguished name for a root CA or for a subordinate CA; thus, this message can be used to describe known roots as well as a desired authorization space.

Community
  • 1
Steffen Ullrich
  • 201,479
  • 30
  • 402
  • 465
  • So this information is sent by the server I'm connecting to? – cyzczy Oct 07 '16 at 11:19
  • Or is this coming from server I'm running the openSSL command from ? – cyzczy Oct 07 '16 at 11:24
  • @adam86: As can be seen from the referenced TLS 1.2 standard the information is send within the TLS handshake. Which obviously means that this information is coming from the server you are connected to. – Steffen Ullrich Oct 07 '16 at 12:03
  • so basically if I want to connect via openSSL to my test DC I would have to import the root CA cert on the linux box from which I try to connect to the DC and specify that path to it when running the command, is that correct ? – cyzczy Oct 07 '16 at 13:24
  • 2
    @adam86: I don't really understand what you are talking about. But, like I said the list of CA is sent by the server so that the client knows which client certificates the server accepts. There is nothing to import at the client, its only that the client needs to send the requested client certificate back which the client obviously must have. – Steffen Ullrich Oct 07 '16 at 13:33
  • Please apologize for not being clear. I mean I was reading on the Internet that while connecting an openSSL it might be necessary to specify a path to the root CA otherwise it will generate errors. I'm getting errors when connecting like Verify return code: 21 (unable to verify the first certificate) not sure how to address this. – cyzczy Oct 07 '16 at 15:02
  • 1
    @adam86: what you describe are problems the client has to very the servers certificate. "Acceptable client certificate CA names" instead cares about client certificates and is not related to validation of the server certificate. – Steffen Ullrich Oct 07 '16 at 15:18
  • @SteffenUllrich +1 to your explanation. I am having my client cert CA configured on the server and listed in the "acceptable client certificate CA names" as shown by OpenSSL. I can successfully connect to the server without passing a client certificate though. Wondering how can that happen. Probably my Envoy configuration is missing a flag to validate client certificates.. – Sergey Shcherbakov Sep 01 '22 at 18:47
  • 1
    @SergeyShcherbakov: There are typically 3 options regarding client certificate: a) none: don't ask for it b) optional: ask for it but continue if none was given c) required: fail if none was provided. I don't know how this is configured in Envoy. – Steffen Ullrich Sep 01 '22 at 18:56