Re: X509 V1 intermediate CA vs end-entity
You can find out if the V1 cert verifies directly with any of the certificates in the trust store or its own public key. There's pretty much nothing else you can do with it, other than try to link it to a Distinguished Name that may or may not be useful. Also, (EXFLAG_V1|EXFLAG_SS) doesn't tell you if it's intended to be a CA certificate. X.509 actually disclaims the idea of self-signed certificates altogether (except as containers for trust anchors). -Kyle H On Tue, Sep 25, 2012 at 10:33 PM, sanjaya joshi joshi.sanj...@gmail.com wrote: Hi steve, Thanks. Got it. That means we can't differentiate between CA and end-entity in case of V1 certificate. We can only find out if the V1 cert is a self-signed certificate or not. Correct ? Regards, Sanjaya On Wed, Sep 26, 2012 at 2:36 AM, Dr. Stephen Henson st...@openssl.org wrote: On Tue, Sep 25, 2012, sanjaya joshi wrote: We can conclude an X509 V1 certificate to be a root ca using (EXFLAG_V1|EXFLAG_SS). Similarly, is there a way to know whether an X509 V1 certificate is an intermediate CA or end-entity certificate ? You can't: there is nothing in a V1 certificate to mark it as a CA. You can't actually be sure it is a root CA using the test you mentioned above: it could be a self signed end entity certificate. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: X509 V1 intermediate CA vs end-entity
Can you figure out a way to do it from the v1 fields? keyUsage is an extension requiring v3. -Kyle H On Sep 24, 2012 11:28 PM, sanjaya joshi joshi.sanj...@gmail.com wrote: Hi, We can conclude an X509 V1 certificate to be a root ca using (EXFLAG_V1|EXFLAG_SS). Similarly, is there a way to know whether an X509 V1 certificate is an intermediate CA or end-entity certificate ? Regards, Sanjaya
Re: X509 V1 intermediate CA vs end-entity
On Tue, Sep 25, 2012, sanjaya joshi wrote: We can conclude an X509 V1 certificate to be a root ca using (EXFLAG_V1|EXFLAG_SS). Similarly, is there a way to know whether an X509 V1 certificate is an intermediate CA or end-entity certificate ? You can't: there is nothing in a V1 certificate to mark it as a CA. You can't actually be sure it is a root CA using the test you mentioned above: it could be a self signed end entity certificate. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: X509 V1 intermediate CA vs end-entity
Hi steve, Thanks. Got it. That means we can't differentiate between CA and end-entity in case of V1 certificate. We can only find out if the V1 cert is a self-signed certificate or not. Correct ? Regards, Sanjaya On Wed, Sep 26, 2012 at 2:36 AM, Dr. Stephen Henson st...@openssl.orgwrote: On Tue, Sep 25, 2012, sanjaya joshi wrote: We can conclude an X509 V1 certificate to be a root ca using (EXFLAG_V1|EXFLAG_SS). Similarly, is there a way to know whether an X509 V1 certificate is an intermediate CA or end-entity certificate ? You can't: there is nothing in a V1 certificate to mark it as a CA. You can't actually be sure it is a root CA using the test you mentioned above: it could be a self signed end entity certificate. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org