Intermediate CA trust in mTLS config

[adra78]

Hi,
I have a Root CA and 2 intermediate CA and I am trying to configure my syslog-ng server to trust only certificate from "Intermediate CA1". I dont want certs from "Intermediate CA2" to be trusted by the syslog-ng server.
Putting only symlink hash of "Intermediate CA1" in ca_dir was not working, I had to add the symlink hash of the root CA as well
The problem I face now is that both "intermediate CA" are trusted, having the cert of Intermediate CA1 in ca_dir doesnt seem to limit trust to it.

What would be the config required in order to trust only one intermediate CA ?
Thanks for your help

[MrAnno]

If you find that Intermediate CA2 has also become the basis of trust, it may be because the other party sends that CA together with its own cert, and syslog-ng then validates it against your root CA, which is your real trust anchor.

If you want to trust "Intermediate CA1" only, you should make that your trust anchor, for example, by making it a root CA.

If that's not an option for you, the following syslog-ng options may also help you fine-tune your trust chain:

https://axoflow.com/docs/axosyslog-core/chapter-encrypted-transport-tls/tlsoptions/#tls-options-trusted-dn
https://axoflow.com/docs/axosyslog-core/chapter-encrypted-transport-tls/tlsoptions/#tls-options-trusted-keys

[adra78]

Thanks for your answer, that's really helpfull

If you find that Intermediate CA2 has also become the basis of trust, it may be because the other party sends that CA together with its own cert, and syslog-ng then validates it against your root CA, which is your real trust anchor.

Yes the other party is sending both certs and that explain why its validated by syslog-ng.
I now understand that in ca_dir it is expected only root certs ; intermediate certs are useful in ca_dir only if the clients doesnt send their certificate concated with the intermediate CA cert.

I will check if I can make it work using trusted-dn.
Having a syslog-ng option such as trusted-intermediate-ca would be awesome 😉