-
Hi, What would be the config required in order to trust only one intermediate CA ? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
If you find that If you want to trust "Intermediate CA1" only, you should make that your trust anchor, for example, by making it a root CA. If that's not an option for you, the following syslog-ng options may also help you fine-tune your trust chain: https://axoflow.com/docs/axosyslog-core/chapter-encrypted-transport-tls/tlsoptions/#tls-options-trusted-dn |
Beta Was this translation helpful? Give feedback.
-
Thanks for your answer, that's really helpfull
Yes the other party is sending both certs and that explain why its validated by syslog-ng. I will check if I can make it work using trusted-dn. |
Beta Was this translation helpful? Give feedback.
If you find that
Intermediate CA2
has also become the basis of trust, it may be because the other party sends that CA together with its own cert, and syslog-ng then validates it against your root CA, which is your real trust anchor.If you want to trust "Intermediate CA1" only, you should make that your trust anchor, for example, by making it a root CA.
If that's not an option for you, the following syslog-ng options may also help you fine-tune your trust chain:
https://axoflow.com/docs/axosyslog-core/chapter-encrypted-transport-tls/tlsoptions/#tls-options-trusted-dn
https://axoflow.com/docs/axosyslog-core/chapter-encrypted-transport-tls/tlsoptions/#tls-options-trusted-keys