> From: owner-openssl-us...@openssl.org On Behalf Of Jakob Bohm > Sent: Friday, 22 February, 2013 06:03
> On 2/21/2013 2:29 PM, ashish2881 wrote: > > I have a certificate chain in a file chain.pem .it also has root > > certificate(self signed) . > > How can i verify the chain,if all certificates are present > in the chain . I'm not sure if OP means chain.pem contains the chain certs and the root cert, or if they have chain.pem and also e.g. root.pem. > I recently tested this myself, and here are my (preliminary) results: > > If using the OpenSSL API in a program, you can load the chain > and the CA > cert into two "X509 stores", then loop over the store calling > a function > to validate each certificate in the chain store against the CA store > with options to use the chain store to locate intermediary > certificates. > You can, but you don't need to. As long as you identify which is the end-entity cert, just X509_verify_cert that against a store containing (at least) the other certs. OpenSSL will build the chain from the specified cert to and including the root, and verify all of it. If there's an error anywhere and you have a callback set, that will tell you where. > But on the command line, things are unnecessarily difficult. > No, for the same reason. If chain.pem doesn't already contain the root, add it; either way call the result chainx.pem. If EE cert is first in chainx.pem, which is fairly common practice, openssl verify -CAfile chainx.pem chainx.pem takes the *first* cert from chainx.pem and verifies its full chain (if possible) from (a store containing) all the other certs in chainx.pem. If the EE cert isn't first, extract it to entity.pem and openssl verify -CAfile chainx.pem entity.pem. The one limitation, implicit above, is "a" chain, singular. If there is more than one chain above a given cert or subtree -- e.g. Clam-Shack-CA has its own root but also is cross-certified by Certs-R-Us -- X509_verify_cert can only do one of them per call. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
