cert considered invalid when intermediate is expired

Richard Moore rich at kde.org
Fri Oct 26 18:02:25 CEST 2012

On 26 October 2012 14:15, Michal Suchanek <hramrach at gmail.com> wrote:
> Both GNUtls and OpenSSL refuse to verify the connection.
> I am not sure if the certificate is technically valid in this case or not.
> Any insight?

It is invalid, however browsers that cache intermediate certificates
(which most do) are sometimes able to still find a trust path  from
the leaf to one of the trust anchors (root CAs) by using a more recent
replacement for the intermediate certificate if they have encountered
it on another site. The replacement intermediate certificates often
reuse the same private key which is what makes this work.



More information about the Gnutls-help mailing list