Thank you Jacob and Stephen. That brings one more question which was posted by Klaus sometime back:
"Hi! I wrote a small program which dumps all root certificates from Windows certificate store into a file. Then I use openssl to connect to Google and validate its certificate: openssl s_client -connect www.google.com:443 -CAfile dump.crt When using openssl0.9.8k or openssl0.9.8x everything works as expected. When using openssl1.0.0g or openssl 1.0.1c the certificate validation fails with: Verify return code: 10 (certificate has expired) CONNECTED(0000016C) depth=2 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority verify error:num=10:certificate has expired notAfter=Jan 7 23:59:59 2004 GMT verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=**Mountain View/O=Google Inc/CN=www.google.com i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority When analyzing the cafile with the dumped certificates from Windows certificate store, I found out that there are two certificates for Verisign with identical subject, whereas one is expired, the other not. X.509 Certificate Information: Version: 1 Serial Number (hex): 00e49efdf33ae80ecfa5113e19a424**0232 Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority Validity: Not Before: Mon Jan 29 00:00:00 UTC 1996 Not After: Wed Jan 07 23:59:59 UTC 2004 Subject: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority Subject Public Key Algorithm: RSA X.509 Certificate Information: Version: 1 Serial Number (hex): 70bae41d10d92934b638ca7b03ccba**bf Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority Validity: Not Before: Mon Jan 29 00:00:00 UTC 1996 Not After: Tue Aug 01 23:59:59 UTC 2028 Subject: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority Subject Public Key Algorithm: RSA Thus, it seems that openssl 0.9.8 just ignores the expired certificate and searches if there is another valid one whereas openssl 1.0.0 stop with the first expired certificate. Is the new behavior the intended behavior? Is it possible to have the old behavior also in new opensslversions? Thanks Klaus" Is this behaviour intended in openssl-1.0.0 ? -- Ashok On Fri, Aug 3, 2012 at 3:28 AM, Dr. Stephen Henson <st...@openssl.org>wrote: > On Thu, Aug 02, 2012, Ashok C wrote: > > > Hi, > > > > Is there a way in which I can determine the correct issuer certificate of > > an issued certificate(either intermediate CA or end entity) based on > > comparing immediate pair alone. > > Eg: > > My hierarchy is like this: > > > > Root > > Intermediate CA 1 > > Intermediate CA 2 > > End entity > > > > Is it possible to determine that Intermediate CA2 is the issuer of the > End > > entity certificate without having to traverse the full hierarchy? > > > > I do not want to depend upon issuername-subjectname comparisons alone(As > > this is not deterministic and conclusive). > > I do not want to depend upon Authority Key Identifier /Subject Key > > Identifier's keyId fields(As most CAs seem to not have this extension at > > all) > > > > Basically I want some signature check method from openSSL can take two > > certificates as input and tell me if one has issued the other: > > > > int openSSL_signature_check(X509* issuer_certificate, X509* > > issued_certificate) > > { > > int return_code = signature_check(issuer_certificate, > > issued_certificate) > > if (0 == return_code) > > return YES_ISSUER_IS_CORRECT; > > else > > return NO_ISSUER_IS_NOT_CORRECT; > > } > > > > Is something like this already available in openSSL? > > > > You can use the function X509_verify to do this but you have to extract the > public key from the issuer using X509_get_pubkey. > > > One more question: > > Given a certificate and trust store, openSSL's verify utility currently > > returns OK in case the verification was successful. Is there a way in > which > > I can retrieve the formed and verified chain of certificates back? > > > > There isn't a command line option to do this but the API call > X509_STORE_CTX_get1_chain will retrieve the chain from an X509_STORE_CTX > structure. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >