kju

Chain issue: Contains anchor

Discussion created by kju on Mar 18, 2013
Latest reply on Mar 1, 2015 by Yannick Gaultier

If the certificate chain presented by the server contains the root anchor, this is noted as a "issue" in the result.

 

It is my belief that this is actually NOT an issue according to RFC5246:

 

"Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority MAY be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case".

 

So the standard implies that the root certificate is presented in the chain but MAY be omitted. Not doing so is therefore neither an error nor an issue according to the specification.


Outcomes