With that we'll just be able to set on upgraders the option `certification_verification = partial_chain`, and this will just make the SSSD's PEM ring to work as the NSS db used to work: and so verify a certificate if its only its issuer is in the SSSD's CA certificates DB.
This comes with unit tests covering the case with generated certificates, not sure if I can personally test this with real hardware (for SRU purposes) though... We may still need to simulate it.
At the end, it's just as doing:
openssl verify -partial_chain -CAfile intermediate_CA.pem intermediate_CA_issued_cert.pem
So, I've done some work on SSSD upstream to make this to happen: https:/ /github. com/SSSD/ sssd/pull/ 5558
With that we'll just be able to set on upgraders the option `certification_ verification = partial_chain`, and this will just make the SSSD's PEM ring to work as the NSS db used to work: and so verify a certificate if its only its issuer is in the SSSD's CA certificates DB.
This comes with unit tests covering the case with generated certificates, not sure if I can personally test this with real hardware (for SRU purposes) though... We may still need to simulate it.
At the end, it's just as doing: CA_issued_ cert.pem
openssl verify -partial_chain -CAfile intermediate_CA.pem intermediate_
Karl, will this be enough for you?