PKI: certificate shall be trusted if at least one certificate is trusted in the chain
The OPC UA specification 1.05 part 4 §6.1.3 adds the following precision to the certificate validation mechanism:
A Certificate is trusted if the Certificate or at least one of the Certificates in the chain are in the list of trusted Certificates for the Application and the chain is valid.
Previously our PKI was considering trusted a certificate in only 2 cases:
- The whole chain except the leaf certificate is trusted
- The leaf certificate was trusted and the chain is available (trusted or not)
As a consequence we shall now trust a certificate when least one of the certificates in the chain is trusted.
Note: it is also necessary to be able to trust certificates issued by an intermediary CA and to not trust those issued by the root CA (or any parent CA).