I have a DER-encoded PKCS#7 file that I'd like to extract the certificate from, verify that certificate against a specific sub-CA certificate, then use the certificate's public key to verify a signature.
I looked at the code for the pkcs7 tool and it looks directly inside the PKCS7 object to check the type and extract the X509 certificates. Is that the best way to do it? Is there a way that doesn't require relying on the internal structure of the PKCS7 object? When I try to verify the certificate, it fails with "unable to get local issuer certificate". However, I've added my sub-CA certificate to the X509_STORE object and if I look inside the certificate I'm verifying, its X509v3 Authority Key Identifier matches the sub-CA's X509v3 Subject Key Identifier. I've verified using another tool (Keychain on a Mac, which may use OpenSSL underneath) that the certificate chain is valid. I'm able to use OpenSSL programmatically verify that the sub-CA certificate is valid against the root, but not the leaf certificate against the sub-CA certificate. Is there something I'm missing? ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org