000027988 - BSAFE: SSL-C: transmit client cert only instead of the complete chain

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000027988
Applies ToSSL-C
IssueBSAFE: SSL-C: transmit client cert  only instead of the complete chain

We'd like the client to only transmit the client cert. and not the complete chain (the server has the sub. CA and root CA in its trust store). What is the best method to ensure that only the client cert. is transmitted by SSL-C?


SSL-C does not support sending only the client cert. portion of the cert. chain.  Since handshakes are generally a very small part of SSL communication, the bandwidth you might save should not be significant.

While SSL-C doesn't support removing the certificate chain from the client certificate, there are a couple of things you could try:

1. When you set the client certificate, don't include the certificate chain. (SSL-C can't send what it doesn't know about)

2. Use SSL_CTX_set_client_cert_cb to set a callback function that only returns the client certificate without the chain.

Legacy Article IDa51204