What happens in this case (and you can see it by using Wireshark to watch
your traffic to github.com) is that the github server sends you both its
cert and the intermediary cert. Essentially what it is saying is I am valid
and here is another cert you're probably going to need to prove that.

Depending on how you're receiving these certificates they should be bundled
with any intermediate CA certs you will need. OpenSSL::X509::Store#verify
takes a second parameter which is an array representing the certificate
chain. You will need to pass it an array of OpenSSL::X509::Certificate
representing all the intermediate CAs needed to validate the first
parameter.

On Mon, Nov 7, 2011 at 2:07 PM, I=F1aki Baz Castillo <ibc / aliax.net> wrote:

> 2011/11/7 John Downey <jdowney / gmail.com>:
> > One thing to note is that the github.com cert you've provided isn't
> directly
> > signed by a root CA. It is signed by an intermediate CA: DigiCert High
> > Assurance EV CA-1 (attached). That cert is is in turn signed by DigiCer=
t
> > High Assurance EV Root CA. When I run the attached cert through your
> code I
> > find it is valid.
>
> Thanks John. But then I don't fully understand how to make it work. I
> expect that browsers use the list of root CA as provided in
> http://curl.haxx.se/ca/cacert.pem, am I wrong? or do the browsers also
> have another list of intermediate CAs?
>
>
> --
> I=F1aki Baz Castillo
> <ibc / aliax.net>
>
>


--=20
John Downey