During the building of the certificate chain, the distinguished names (DNs) are used to match the issuers and the subjects. So if two different certificates (since they are using different keys) have the same DNs, that would be a problem.
Have you tried including the "correct" intermediate certificate with the leaf one? If the verifier decides to pick its own, there probably nothing you can do, but it might work. Hong. On Dec 19, 2007 10:18 AM, luvlee_ghg <[EMAIL PROTECTED]> wrote: > > Hi experts, > > I would like to know if there is any API that takes care of building a > certificate chain in openSSL similar to MS API. Also please let me know the > basic details on how a certificate chain is verified in openSSL. > > Following is my implementation: > > R o o t C A > | | > SUB CA1 SUB CA1(signing key is different than the > other one) > | > Issued Certificate > > When the issued certificate is sent for verification, it always fails. I > think while building the certificate chain its building with the wrong SUBCA > because it finds two of them with the same name. So I would like to know how > can a certificate chain built in case if there are two CAs with similar name > present in the certificate store. How to use the CA of the Issued > certificate to build the chain for verification? > > > > -- > View this message in context: > http://www.nabble.com/Help-required-on-building-certificate-chain-tp14422191p14422191.html > Sent from the OpenSSL - Dev mailing list archive at Nabble.com. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [email protected] > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
