Re: Is certificate a CA or Client Certificate

Thu, 29 Sep 2011 06:41:17 -0700 

Hey,
   I tried using this method following is the flow.

IF CA: TRUE
    If Self Signed
        ROOT
    else
        Intermediate
else
     Personal


When i try parsing the PKCS7 (.p7b) files, then for Intermediate CA
Certifites I get that its a personal Certificate?
Is there something different that i need to do for p7b file format?
Thanks.

// Harshvir

On Fri, Sep 16, 2011 at 2:33 PM, Jakob Bohm <[email protected]> wrote:

> On 9/16/2011 9:02 PM, Harshvir Sidhu wrote:
>
>> I already tried this command, but its not giving any information showing
>> wheter its a root certificate or a client certificate.
>> - Harshvir
>> On Fri, Sep 16, 2011 at 1:53 PM, Jakob Bohm <[email protected]<mailto:
>> [email protected]>**> wrote:
>>
>>    On 9/16/2011 7:58 PM, Harshvir Sidhu wrote:
>>
>>        Hi,
>>          In openssl is there some method using which i can find
>>        whether the cerficiate in a file a Client Certificate or a
>>        CA/Root Certificate?
>>        - H S
>>
>>    Try the following command, at look for the CA property and also see
>>    if the certificate lists itself or someone else as issuer:
>>
>>    openssl x509 -in somecert.cer -noout -text >somecert.txt
>>
>>    (somecert.txt will then contain a nice human readable printout of
>>    the certificate)
>>
>> Look for the following three things in somecert.txt:
>
> 1. Look at the "Issuer:" and "Subject:" lines.
>
>    If they are identical, this is a self-signed certificate and thus
>    either a CA root or a useless test certificate.
>
>    If they are different this is either an end certificate (client or
> server)
>    or an intermediary CA.
>
> 2. Look under "X509v3 extensions:" for "X509v3 Basic Constraints:".
>
>    If it is there and the next line says "CA:TRUE", it is a CA.
>
>    If it is there and the next line says "CA:FALSE", it is
>    an end certifcate (client or server).
>
>    If it is not there, and the next item below is not there either, it is
>    an end certificate (client or server).
>
> 3. Look under "X509v3 extensions:" for "X509v3 Key Usage:".
>
>    If it is there and the next line includes the phrase "Certificate Sign",
> it is a CA.
>
>    If it is there and the next line does not include the phrase
> "Certificate Sign",
>    it is an end certificate (client or server).
>
>    If it is not there, and the item above is not there either, it is
>    an end certificate (client of server).
>
>
>
>
> ______________________________**______________________________**__________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [email protected]
> Automated List Manager                           [email protected]
>

Reply via email to