It’s kind of the other way round. The intermediate certificate is included in the keystore, alongside with the node’s own certificate.
When the node needs to identify itself, it sends its own cert + all intermediate certs. The other party then validates against the (trusted) root cert. Think of it as the first node being a webserver, the second node being a browser. The webserver needs to have its own cert + key plus all intermediate certs configured, the browser only has a list of trusted root CAs.
In order for a TLS connection to be established, you always need the full chain, end-to-end, with all intermediate certs. This has nothing to do with the cert being self-signed. You also need intermediate certs when you buy a cert from Thawte or the like.
By the way: The only difference between a certificate signed by your own Root CA and a certificate from, say, Thawte ist that browsers and OS ship with a list of trusted Root CAs. Which includes Thawte, but not your own. There’s no technical difference regarding content and structure of the certificates.
On Wednesday, April 19, 2017 at 8:07:58 PM UTC+2, pixelrebel wrote:
In the following script:
The final dump to the trust store only dumps the root, shouldn’t it be including the whole chain (i.e. root+signing)?
Which leads to another dumb question: In order for self-signed certs to be accepted in general, do you have to include only the root or the whole chain in your circle of trust?