On Wed 19 December, luvlee_ghg wrote: > When the issued certificate is sent for verification, it always fails. I > think while building the certificate chain its building with the wrong SUBCA > because it finds two of them with the same name. So I would like to know how > can a certificate chain built in case if there are two CAs with similar name > present in the certificate store. How to use the CA of the Issued > certificate to build the chain for verification?
Do you have AKI/SKI X509v3 extensions in your certificates? I'm not an expert of openssl internal, but regarding X509_check_issued (defined in v3_purp.c), openssl can used aki/ski to check the chain of verification. However, maybe openssl tried the first CA certificate (the bad one), call check_issued, and doesn't try any others one since an error occured. my two cents -- http://asyd.net/home/ - Home Page http://guses.org/home/ - French Speaking (Open)Solaris User Group ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
