Re: Passing Cert chain file as RAW buffer

Hi Team, My question was on openssl version 1.1.1d. On Wed, Feb 23, 2022 at 10:25 PM Brahmaji K wrote: > Hi Team, > > I have cert chain file as shown below: > - BEGIN the CERTIFICATE - > : > : > - the END the CERTIFICATE - > - BEGIN the CERTIFICATE -

Passing Cert chain file as RAW buffer

Hi Team, I have cert chain file as shown below: - BEGIN the CERTIFICATE - : : - the END the CERTIFICATE - - BEGIN the CERTIFICATE - : : - the END the CERTIFICATE - - BEGIN the CERTIFICATE - : : - the END the CERTIFICATE - Is it possible to convert

Re: [openssl-users] cert chain file ordering question

On 1/9/18 19:32, Viktor Dukhovni wrote: This Key Usage is more appropriate. When the "Key Usage" is present in a CA certificate, it*MUST* include "Certificate Sign". That was indeed the problem.  Thank you!! It seems strange to me that OpenSSL will allow creation of a CA cert (CA:TRUE) that m

Re: [openssl-users] cert chain file ordering question

> On Jan 9, 2018, at 8:29 PM, Norm Green wrote: > > opensslx509 -in secondIntermedCa.pem -noout -text > Signature Algorithm: sha256WithRSAEncryption > Issuer: 1.3.6.1.4.1.47749.1.1 = userCA, CN = EmeaCA > Subject: 1.3.6.1.4.1.47749.1.1 = userCA, CN = KapitalCA > X509

Re: [openssl-users] cert chain file ordering question

> On Jan 9, 2018, at 8:29 PM, Norm Green wrote: > > >Or correctly fails to verify? > Perhaps. Hopefully you'll be able to tellme. When you post machine-readable certificates, not just "-text" output. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/

Re: [openssl-users] cert chain file ordering question

>Or correctly fails to verify? Perhaps.  Hopefully you'll be able to tellme. Here's the version info and a dump of the certs. Thanks for your help. Norm openssl version -a OpenSSL 1.1.0g  2 Nov 2017 built on: reproducible build, date unspecified platform: linux-x86_64 compiler: /usr/bin/gcc -D

Re: [openssl-users] cert chain file ordering question

> On Jan 9, 2018, at 7:28 PM, Norm Green wrote: > > It still doesn't verify correctly. Or correctly fails to verify? > To simplify, I tried it with 1 intermediate CA. Here's the chain: > > rootCa.pem - self-signed root cert. CN = rootCA > firstIntermedCa.pem - intermediate CA cert signed by

Re: [openssl-users] cert chain file ordering question

It still doesn't verify correctly. To simplify, I tried it with 1 intermediate CA. Here's the chain: rootCa.pem - self-signed root cert. CN = rootCA firstIntermedCa.pem - intermediate CA cert signed by rootCa.pem. CN = EmeaCA secondIntermedCa.pem - intermediate CA cert signed by firstIntermedCa

Re: [openssl-users] cert chain file ordering question

> On Jan 9, 2018, at 6:43 PM, Norm Green wrote: > > What is the correct order of intermediate CA certs in the untrusted chain > file? The untrusted CA list is a heap, the order is irrelevant. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/

Re: [openssl-users] cert chain file ordering question

Well that is not *at all* obvious from the documentation, but ok. What is the correct order of intermediate CA certs in the untrusted chain file? On 1/9/2018 3:36 PM, Viktor Dukhovni wrote: The correct way to verify a chain is to put the root CA in a CAfile, intermediate CAs in an "untruste

Re: [openssl-users] cert chain file ordering question

> On Jan 9, 2018, at 6:04 PM, J Decker wrote: > > The certs are built into a stack... they are pushed... so element 0 is the > last thing in the list. > The chain starts with 0, and then can search the rest. This is either false or irrelevant depending on what you intended (too terse to know

Re: [openssl-users] cert chain file ordering question

> On Jan 9, 2018, at 5:55 PM, Norm Green wrote: > > Same result. The only way it seems to work is if the leaf cert appears at the > end of the file. You're badly mistaken. *ONLY* the first certificate in the file is verified. When you put the leaf cert at the end, you're *ONLY* verifying the

Re: [openssl-users] cert chain file ordering question

The certs are built into a stack... they are pushed... so element 0 is the last thing in the list. The chain starts with 0, and then can search the rest. On Tue, Jan 9, 2018 at 2:55 PM, Norm Green wrote: > On 1/9/2018 6:03 AM, Benjamin Kaduk wrote: > >> Did you try something like (with a 1.1.0

Re: [openssl-users] cert chain file ordering question

On 1/9/2018 6:03 AM, Benjamin Kaduk wrote: Did you try something like (with a 1.1.0 installation): openssl verify -CAfile RootCA.pem -untrusted chain.pem chain.pem with the leaf certificate as the first one in chain.pem? Same result. The only way it seems to work is if the leaf cert appears

Re: [openssl-users] cert chain file ordering question

On 01/08/2018 06:33 PM, Norm Green wrote: > This question is regarding OpenSSL 1.1. > > Let's say I have this trust hierarchy: > > RootCA > CA1 > CA2 > CA3 > userCert > > > So userCert is signed by CA3, CA3 is signed by CA2, and so on up to > RootCA, which is a self-signed root cert. > > If I combi

[openssl-users] cert chain file ordering question

This question is regarding OpenSSL 1.1. Let's say I have this trust hierarchy: RootCA CA1 CA2 CA3 userCert So userCert is signed by CA3, CA3 is signed by CA2, and so on up to RootCA, which is a self-signed root cert. If I combine CA1,CA2,CA3 and userCert into single PEM file, chain.pem, th

[openssl-users] Question about X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN for a cert chain including the root cert

Hi there, I have a question about certificate chain checkin when the chain includes a root certificate. The server I want to connect to with openssl s_client (Version 0.9.8zc) sends this certificate chain: 0 s:Server's cert i:Intermediate cert 1 s:Intermediate cert i:Root 1 cert 2 s:Root

Re: [openssl-users] How to verify a cert chain using Openssl command line?

Ben, I think you are right. My verify test is okay now if I match the subjectAltName to the nameConstraints defined by the subCA. Thanks. David On Mon, Jun 29, 2015 at 6:23 PM, Ben Humpert wrote: > Yes, because nameConstraints are inherited. > > I don't know exactly where the bug lies but I st

Re: [openssl-users] How to verify a cert chain using Openssl command line?

Yes, because nameConstraints are inherited. I don't know exactly where the bug lies but I strongly advise NOT to use nameConstraints because while there is a standard nobody has implemented full or correctly working support for it. I ran various tests some weeks ago and the result was horrible. Se

Re: [openssl-users] How to verify a cert chain using Openssl command line?

The subCA has nameConstraints in the subCA configuration file: [name_constraints] permitted;DNS.0 = example.com client configuration file has subjectAltName: subjectAltName = DNS: www.cs.com So is this a mismatch? How come s_client/s_server test was okay? On Mon, Jun 29, 2015 at 2:12 PM, B

Re: [openssl-users] How to verify a cert chain using Openssl command line?

Do you use nameConstraints or have specified IP in subjectAltName? Because OpenSSL can't handle that correctly. 2015-06-29 22:51 GMT+02:00 David Li : > Hi, > > As a test, I have created a rootCA, a subCA (signed by the rootCA) and > a client cert (signed by the subCA). Now I want to use verify, >

[openssl-users] How to verify a cert chain using Openssl command line?

Hi, As a test, I have created a rootCA, a subCA (signed by the rootCA) and a client cert (signed by the subCA). Now I want to use verify, s_client and s_server to test them together. However I searched and tried a number of times but still unsure about the correct syntax format in verify command.

RE: OpenSSL doesn't pass full cert chain

build out its own chain if necessary and possible. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Fahim Sent: Tuesday, January 07, 2014 14:15 To: openssl-users@openssl.org Subject: RE: OpenSSL doesn't pass full cert chain Hello Dave, I wo

RE: OpenSSL doesn't pass full cert chain

Hello Dave, I would like to simplify the issue as following. 1. Both client and server performs SSL Handshake using cert chain. 2. In our case server responds correctly with the entire chain of cert (Server is some proprietary system) 3. Client also expected to send the

RE: OpenSSL doesn't pass full cert chain

ssert the peer should trust these CAs when verifying you, then you ought to trust them also. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Fahim Sent: Saturday, January 04, 2014 12:36 To: openssl-users@openssl.org Subject: OpenSSL doesn&#

OpenSSL doesn't pass full cert chain - (Resending)

Hello, We are looking for a potential tweak or customization of openSSL for an existing project, and I was wondering if I could get your input. Summary: we want to alter or configure openSSL so that it will pass the entire cert chain for authentication instead of just the first certificate

OpenSSL doesn't pass full cert chain

Hello, We are looking for a potential tweak or customization of openSSL for an existing project, and I was wondering if I could get your input. Summary: we want to alter or configure openSSL so that it will pass the entire cert chain for authentication instead of just the first certificate

Re: Verification error, weird cert chain for portfolio.iguw.tuwien.ac.at

On 15.03.2012 14:52, Rob Stradling wrote: > On 15/03/12 13:11, Florian Pritz wrote: >> Hi, >> >> When using lynx to access https://portfolio.iguw.tuwien.ac.at I got an >> ssl cert validation error. Since it worked fine in firefox/chromium I >> tried to use openssl directly and got the following, bu

Re: Verification error, weird cert chain for portfolio.iguw.tuwien.ac.at

On 15/03/12 13:11, Florian Pritz wrote: Hi, When using lynx to access https://portfolio.iguw.tuwien.ac.at I got an ssl cert validation error. Since it worked fine in firefox/chromium I tried to use openssl directly and got the following, but I fail to understand what it means although I see that

Verification error, weird cert chain for portfolio.iguw.tuwien.ac.at

Hi, When using lynx to access https://portfolio.iguw.tuwien.ac.at I got an ssl cert validation error. Since it worked fine in firefox/chromium I tried to use openssl directly and got the following, but I fail to understand what it means although I see that the chain looks strange (0->1 i:TERENA is

Re: Verification error, weird cert chain for portfolio.iguw.tuwien.ac.at

Pritz" To: Sent: Thursday, March 15, 2012 3:11 PM Subject: Verification error, weird cert chain for portfolio.iguw.tuwien.ac.at When using lynx to access https://portfolio.iguw.tuwien.ac.at I got an ssl cert validation error. Since it worked fine in firefox/chromium I tried to use openssl di

Verification error, weird cert chain for portfolio.iguw.tuwien.ac.at

Hi, When using lynx to access https://portfolio.iguw.tuwien.ac.at I got an ssl cert validation error. Since it worked fine in firefox/chromium I tried to use openssl directly and got the following, but I fail to understand what it means although I see that the chain looks strange (0->1 i:TERENA is

Re: cert chain out of order breaks openssl

On Tue, Feb 14, 2012, Timothy Kay wrote: > We have been baffled for a long time that curl cannot access websites that > work just fine in the browser (unless we use --insecure, of course). The > curl documentation points you to http://curl.haxx.se/docs/sslcerts.html, > which explains that your ser

Re: cert chain out of order breaks openssl

On 2/14/2012 6:46 PM, Timothy Kay wrote: > We have been baffled for a long time that curl cannot > access websites that work just fine in the browser > (unless we use --insecure, of course). The curl > documentation points you to > http://curl.haxx.se/docs/sslcerts.html, which explains > that you

Re: cert chain out of order breaks openssl

On Tue, Feb 14, 2012, Timothy Kay wrote: > Erik, > > Thanks for the pointer. It's very helpful. > > HOWEVER, I can give you dozens of different sites that do it wrong, yet > they all work in the browsers. Clearly that particular part of the spec is > no longer relevant, and openssl should be upd

Re: cert chain out of order breaks openssl

On Tue, Feb 14, 2012 at 3:22 PM, Timothy Kay wrote: > > Thanks for the pointer. It's very helpful. > > HOWEVER, I can give you dozens of different sites that do it wrong, yet they > all work in the browsers. Clearly that particular part of the spec is no > longer relevant, and openssl should be up

Re: cert chain out of order breaks openssl

t workaround was to repackage the .PFX. > > ** ** > > Erik > > > > *Erik Tkal** > *Juniper OAC/UAC/Pulse Development > > > > > > *From:* owner-openssl-us...@openssl.org [mailto: > owner-openssl-us

RE: cert chain out of order breaks openssl

rom: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Timothy Kay Sent: Tuesday, February 14, 2012 12:46 PM To: openssl-users@openssl.org Subject: cert chain out of order breaks openssl We have been baffled for a long time that curl cannot access websites that work

RE: Cert chain verification failures

> From: owner-openssl-us...@openssl.org On Behalf Of David Coulson > Sent: Wednesday, 30 March, 2011 10:24 > On 3/30/11 8:33 AM, Crypto Sal wrote: > > David: > > > > Firefox caches that information, so that it can use them > later if you > > view a similar certificate hierarchy. > > > > If you v

Re: Cert chain verification failures

On 3/30/11 8:33 AM, Crypto Sal wrote: David: Firefox caches that information, so that it can use them later if you view a similar certificate hierarchy. If you view the Firefox Certificate Manager you should see "Software Security Device" vs. that of "Built in Object" next to each of the

Re: Cert chain verification failures

On 03/29/2011 01:16 PM, David Coulson wrote: On 3/29/11 12:58 PM, Bruce Stephens wrote: Add the -showcerts option to the s_client commands and you'll see the first server returns a chain of certificates where the second offers only the end server certificate. Okay, I see that - Makes sense. When

Re: Cert chain verification failures

David Coulson writes: > On 3/29/11 12:58 PM, Bruce Stephens wrote: >> Add the -showcerts option to the s_client commands and you'll see the >> first server returns a chain of certificates where the second offers >> only the end server certificate. > Okay, I see that - Makes sense. When I hit the

Re: Cert chain verification failures

On 3/29/11 12:58 PM, Bruce Stephens wrote: Add the -showcerts option to the s_client commands and you'll see the first server returns a chain of certificates where the second offers only the end server certificate. Okay, I see that - Makes sense. When I hit the hostname w/ Firefox I'm able to se

Re: Cert chain verification failures

David Coulson writes: [...] > OpenSSL has other ideas. First one validates fine, second one does > not. I can't for the life of me figure out what the difference is. > > Any ideas? Add the -showcerts option to the s_client commands and you'll see the first server returns a chain of certificates

Cert chain verification failures

Probably missing something simple, but I'm having a tough time validating the CA chain for a certificate. There is a second certificate, seemingly signed by the same CA which does validate. I'm not sure how useful this tool is, but it seems to indicate both certs were signed by the same CA.

Re: SSL cert chain validation & timestamp issues

On 12/20/2010 10:49 AM, travis+ml-open...@subspacefield.org wrote: So a friend ran into this lately; libnss, at least on Linux, checks that the signing cert (chain) is valid at the time of signature - as opposed to present time. (It may check present time as well - not sure on that) This is

Re: SSL cert chain validation & timestamp issues

On Mon, Dec 20, 2010 at 10:49:57AM -0800, travis+ml-open...@subspacefield.org wrote: > libnss, at least on Linux, checks that the signing cert (chain) is valid > at the time of signature - as opposed to present time. (It may check > present time as well - not sure on that) > >

SSL cert chain validation & timestamp issues

So a friend ran into this lately; libnss, at least on Linux, checks that the signing cert (chain) is valid at the time of signature - as opposed to present time. (It may check present time as well - not sure on that) This makes for problems if you renew the cert, since the new cert will have a

Re: templates and cert chain validity

else leak, but fails return iRet; } ... I've been looking into the sources to find a place where the cert chain checking is done in terms of the certs span of life. Downwards the chain each cert should become valid while the issuers cert is valid. I thought the right place would be somewhere

templates and cert chain validity

the temporary items correctly. Do you have any hints? Is the above approach reasonable? == I've been looking into the sources to find a place where the cert chain checking is done in terms of the certs span of life. Downwards the chain each cert should become valid while the issuers cert is

cert chain validity

Hi there, i've been looking into the sources to find a place where the cert chain checking is done in terms of the certs span of life. Downwards the chain each cert should become valid while the issuers cert is valid. I thought the right place would be somewhere within x509_vfy.c, perha

templates and cert chain validity

sing how to release the temporary items correctly. Do you have any hints? Is the above approach reasonable? == I've been looking into the sources to find a place where the cert chain checking is done in terms of the certs span of life. Downwards the chain each cert should become valid while t

Sending cert chain through openssl s_client

Hi, I have the following certs 1) End user cert subject: enduser whatever issuer : Intermediate CA whatever 2) Intermediate CA cert subject: Intermediate CA whatever issuer : Actual CA whatever 3) Actual CA cert (self signed) subject : Actual CA whatever issuer : Actual CA whate

Sending cert chain through openssl s_client

Hi, I have the following certs 1) End user cert subject: enduser whatever issuer : Intermediate CA whatever 2) Intermediate CA cert subject: Intermediate CA whatever issuer : Actual CA whatever 3) Actual CA cert (self signed) subject : Actual CA whatever issuer : Actual CA whatever I

RE: How to Limit the Cert chain to some sepcified number...

Thanks Goetz, much appreciated! Regards, Usman.> Date: Sat, 5 May 2007 13:59:04 +0200> From: [EMAIL PROTECTED]> CC: [EMAIL PROTECTED]> Subject: Re: How to Limit the Cert chain to some sepcified number...> To: [EMAIL PROTECTED]> > Hello Usman,> > --On Mai 05, 2007

Re: How to Limit the Cert chain to some sepcified number...

Hello Usman, --On Mai 05, 2007 14:11:08 +0500 Usman Riaz <[EMAIL PROTECTED]> wrote: I want to issue my customers certificate signed by my certificate (a self-signed certificate). I want to limit the issued certificate to not to act as a CA. I would like to specify the cert chain len

How to Limit the Cert chain to some sepcified number...

also uses openssl in the background). I would like to specify the cert chain length in genrating my Root CA (little bit easier for me :), don't know if it is possible) rather then when creating the customer certs. Any help/comments are highly appreciated. Regards,

Re: Validating Cert Chain

Hello, > i have a question about this following method > > int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, >X509 *x509, STACK_OF(X509) *chain); > > if i understand this correctly the argument 'x509' is the cert that u want > to be verified & the 'chain' is

Re: Validating Cert Chain

from files containg pem certs ? -kb From: Marek Marcola <[EMAIL PROTECTED]> Reply-To: openssl-users@openssl.org To: openssl-users@openssl.org Subject: Re: Validating Cert Chain Date: Sat, 26 Aug 2006 01:22:19 +0200 Hello, > Hi, > How do i validate a certificate chain. is there a

Re: Validating Cert Chain

You can also consider using function int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk), if a stack of certs is available. Rick From: Marek Marcola <[EMAIL PROTECTED]> Reply-To: openssl-users@openssl.org To: openssl-users@openssl.org Subject: Re: Validating Cert Chain Date: Sat,

Re: Validating Cert Chain

Hello, > Hi, > How do i validate a certificate chain. is there a EVP api for it ? > thanks If we are talking about verifying X509 cert against CA certs this may be done for example like: - FILE *fp; X509_STORE * CAcerts; X509 * cert; X509_STORE_CTX ca_ctx; char *strer

Validating Cert Chain

Hi, How do i validate a certificate chain. is there a EVP api for it ? thanks Kunal From: Marek Marcola <[EMAIL PROTECTED]> Reply-To: openssl-users@openssl.org To: openssl-users@openssl.org Subject: Re: OpenSSL Generating Extra Packets Date: Fri, 25 Aug 2006 23:51:45 +0200 Hello, > I am workin

cert chain building post tls handshake

Orginally I was using SSL_get_peer_cert_chain() func, which I though was giving me the cert chain built up to verify the peer cert from the certs that i added to the SSL_CTX->cert_store , but then I discovered that it really is the cert chain given by the client during the TLS handshake. T

Re: [openssl-users] Requirements for valid CA certs within a cert chain

Erwann, Thanks for all the detailed comments!! Jim __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager

Re: [openssl-users] Requirements for valid CA certs within a cert chain

Bonjour, Hodie pr. Non. Mar. MMV est, ohaya scripsit: > This is the self-signed root CA cert. It is now V3, and has the AKI and > SKI. Good. >It still has "Digital Signature", as I wasn't sure about what to > do with that on the root CA cert: It's useless, as you'll really use the Root certifi

Re: [openssl-users] Requirements for valid CA certs within a cert chain

Erwann and Steve, Thanks for all the comments. Here're a new set of certs where I think that I've taken care of the points raised by both of you. I'd appreciate your review. This is the self-signed root CA cert. It is now V3, and has the AKI and SKI. It still has "Digital Signature", as I wa

Re: [openssl-users] Requirements for valid CA certs within a cert chain

On Sat, Mar 05, 2005, Erwann ABALEA wrote: > Bonsoir, > > > > X509v3 Authority Key Identifier: > > > > keyid:FF:78:E3:03:37:8D:EA:0F:1D:ED:B0:C7:D2:48:49:C6:90:D1:D5:B0 > > Problem. The issuer of this certificate doesn't have any > subjectKeyIdentifier extension, so

Re: [openssl-users] Requirements for valid CA certs within a cert chain

Bonsoir, Hodie III Non. Mar. MMV est, ohaya scripsit: > This is the SUB ROOT CA's Cert: > > Certificate: [...] > Validity > Not Before: Mar 2 06:08:03 2005 GMT > Not After : Feb 27 09:22:27 2008 GMT A little less than 3 years for the duration is a bit short. Not

Re: Requirements for valid CA certs within a cert chain

> > Per earlier messages from Steve Henson, the SUB ROOT CA (CN=ATEST5) has > > "Basic Constraints" with "CA=TRUE", and "Digital Signature, Certificate > > Sign, CRL Sign". > > > > I can't recall saying the CA certificate needed "digital signature". It > doesn't but if you sign with user certific

Re: Requirements for valid CA certs within a cert chain

> The standards don't actually say much about the root CA at present. However it > should really have those extensions. It is also a V1 and not a V3 certificate. > This might be because you are following one of the old or inaccurate guides or > even the odd book that gives incorrect instructions.

Re: Requirements for valid CA certs within a cert chain

On Sat, Mar 05, 2005, ohaya wrote: > Hi, > > > Per earlier messages from Steve Henson, the SUB ROOT CA (CN=ATEST5) has > "Basic Constraints" with "CA=TRUE", and "Digital Signature, Certificate > Sign, CRL Sign". > I can't recall saying the CA certificate needed "digital signature". It doesn't

Requirements for valid CA certs within a cert chain

It seems like this is working, i.e., I can issue client and server certificates from the subroot CA, and they seem to work all right and I can verify the cert chain from the end certificate back to the root CA certificate. But, I was looking at the CA certs that I ended up with, using "openssl

Re: Doubt regarding cert-chain validation (fwd)

his either in 3280 or the OpenSSL dox but cannot now remember. Lucenius Jan wrote: On Tue, 16 Nov 2004, David Schwartz wrote: X509_verify_cert will construct the cert chain upto the ROOT CA and then validates the chain and finally verify the self-certificate. What I understand is that this funct

RE: Doubt regarding cert-chain validation (fwd)

On Tue, 16 Nov 2004, David Schwartz wrote: > > > X509_verify_cert will construct the cert chain upto the ROOT CA and then > > validates the chain and finally verify the self-certificate. What I > > understand is that this function expects the ROOT CA to be > > sel

RE: Doubt regarding cert-chain validation (fwd)

> X509_verify_cert will construct the cert chain upto the ROOT CA and then > validates the chain and finally verify the self-certificate. What I > understand is that this function expects the ROOT CA to be > self-signed and > it MUST be present in the trusted list. Rig

Doubt regarding cert-chain validation (fwd)

Hi all, I hava a doubt regarding X509_verify_cert. What I understand from the documentation of "verify" is that we need to pass all the trusted certs and all the un-trusted certs. X509_verify_cert will construct the cert chain upto the ROOT CA and then validates the chain and fina

Doubt regarding cert-chain validation

Hi all, I hava a doubt regarding X509_verify_cert. What I understand from the documentation of "verify" is that we need to pass all the trusted certs and all the un-trusted certs. X509_verify_cert will construct the cert chain upto the ROOT CA and then validates the chain and finally

Re: How to get peer cert chain?

On Thu, Oct 02, 2003 at 02:56:44PM -0700, Dann Daggett wrote: > In openssl-0.9.7c/demos/sign/sign.c the comments state (as does the > man page): > > /* Just load the crypto library error strings, >* SSL_load_error_strings() loads the crypto AND the SSL ones */ > /* SSL_load_error_strings()

RE: How to get peer cert chain?

Hi All, In openssl-0.9.7c/demos/sign/sign.c the comments state (as does the man page): /* Just load the crypto library error strings, * SSL_load_error_strings() loads the crypto AND the SSL ones */ /* SSL_load_error_strings();*/ ERR_load_crypto_strings(); Yet if I try to load the ssl st

Re: How to get peer cert chain?

ign] -> [my own cert] > > > After loading 2 parent certs with SSL_CTX_load_verify_locations(), the > verify callback does not complain anymore. However, that's not enough for > me. I also have to provide a mechanism to examin the whole cert chain, check > for problems and sa

How to get peer cert chain?

(B (B (BAfter loading 2 parent certs with SSL_CTX_load_verify_locations(), the (Bverify callback does not complain anymore. However, that's not enough for (Bme. I also have to provide a mechanism to examin the whole cert chain, check (Bfor problems and save them onto disk for later use, j

RE: Tweaking the default cert chain verification

Richard Levitte - VMS Whacker wrote: > Well, with my scheme, the "entire chain" goes from the leaf to your > point of trust, not further. Checking CRLs between those two points > makes sense, doesn't it? Henrik Nordström outlined the reasons to do > so in message > <[EMAIL PROTECTED]>. Yes, of

Re: Tweaking the default cert chain verification

In message <[EMAIL PROTECTED]> on Thu, 18 Sep 2003 16:04:28 +0200, "Mats Nilsson" <[EMAIL PROTECTED]> said: mats.nilsson> Sorry. Imprecise wording. I meant that since I would mats.nilsson> like to be able to terminate the certificate validation mats.nilsson> at a particular point in the certifica

Re: Tweaking the default cert chain verification

On Wed, Sep 17, 2003, Mats Nilsson wrote: > Hi > > Using OpenSSL-0.9.7b. > > We are building an application where we want to have a flexible model > for certificate trust. In essence, we want to be able to say: > > CA0 (self signed) is explicitly trusted > CA1 (signed by CA0)

Tweaking the default cert chain verification

Hi Using OpenSSL-0.9.7b. We are building an application where we want to have a flexible model for certificate trust. In essence, we want to be able to say: CA0 (self signed) is explicitly trusted CA1 (signed by CA0) is explicitly trusted CA2 (signed by CA1) is neutral

RE: Cert chain confusion

On Tue, 16 Sep 2003, Dann Daggett wrote: > I understand. Are there options on how the chain is presented? > In particular, is it always presented as a single (combined) > response to the client, or can/does the client make a second > request for the next cert up the chain if it finds it does not >

RE: Cert chain confusion

Thank you Henrik, it's getting clearer :) But, just a couple more questions? :) > If the certificate is issues by a second level CA and the > client trusts the higher level CA who issued the > certificate for the second level CA then you must present > the CA chain or else the client will not be

Re: Cert chain confusion

On Tue, 16 Sep 2003, Dann Daggett wrote: > Now, when an outsider connects to my secure server, my server > should present that client with a certificate right? Which > certificate does it present? The server's cert, or the CA's? The servers. > Or does it need to present both? It does not hurt t

Cert chain confusion

Hello All, I wonder if someone would be so kind as to provide a bit more detail regarding certificate chains and how it affects the openssl setup? For this discussion, let's assume I've created my own CA self-signed cert, and then created a cert for each of my virtual servers and signed each with

Re: Getting the CERT chain

On Tue, Jul 16, 2002 at 03:06:53PM -0700, Patrick Powell wrote: > > From: Lutz Jaenicke <[EMAIL PROTECTED]> > > OpenSSL itself uses hashes for comparison. If the hashes are identical, > > so are the certificates. > > Ummm... is there an example piece of code that does the hash generation > and th

Re: Getting the CERT chain

> From [EMAIL PROTECTED] Thu Jul 11 07:26:50 2002 > Date: Thu, 11 Jul 2002 16:20:58 +0200 > From: Lutz Jaenicke <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED], [EMAIL PROTECTED] > Subject: Re: Getting the CERT chain > > On Thu, Jul 11, 2002 at 07:12:30AM -0700, Patrick P

Re: Getting the CERT chain

ng the SSL connection process, if a user CERT has >been presented, get the cert chain? SSL_get_peer_cert_chain(). > Question 2: >Now I just KNOW that I saw this, and everybody is going to laugh at this, >but: > >If I have found a CERT using, say, peer = SSL_get_peer_

Getting the CERT chain

Question 1: Is there a simple way using exported (i.e. - available to general use via the openssl library and having definitions in openssl.h) OpenSSL functions to do the following: During the SSL connection process, if a user CERT has been presented, get the cert chain? Here is the code

Re: Cert Chain

oot ca in the html tree wherever you deem appropriate, and request it from the browser. Once you have installed it, and the cert chain is properly defined, your browser should trust the server implicitly. HTH Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :

Re: Cert Chain

Hi Louis, I have a new question for you. After making the certifiate chain, Say, Root-CA --> Sub-CA --> User-Cert. I want to publish this CAuthority chain in pkcs7 file. Do you think it is the best format, if not which format do you prefere for that? And Which openssl's command do I need to us

Re: Cert chain verify failure

Thanks. it works. Jeff Dr S N Henson wrote: > >Jeff Smith wrote: > > > > ... and using -verbose option, the step (3) verify would produce: > > > > % openssl verify -verbose -CAfile ca.crt -untrusted ca2.crt user.crt > > > > error 18 at 0 depth lookup:self signed certificate > > error 7 at 0 depth

Re: Cert chain verify failure

Jeff Smith wrote: > > ... and using -verbose option, the step (3) verify would produce: > > % openssl verify -verbose -CAfile ca.crt -untrusted ca2.crt user.crt > > error 18 at 0 depth lookup:self signed certificate > error 7 at 0 depth lookup:certificate signature failure > 21970:error:0407006

Re: Cert chain verify failure

... and using -verbose option, the step (3) verify would produce: % openssl verify -verbose -CAfile ca.crt -untrusted ca2.crt user.crt error 18 at 0 depth lookup:self signed certificate error 7 at 0 depth lookup:certificate signature failure 21970:error:0407006A:rsa routines:RSA_padding_check_P

Re: Cert chain verify failure

I forgot to mention that I could successfully verify ca2.crt after step (2) using % openssl verify -CAfile ca.crt ca2.crt clnt1.crt: OK In addition to the question I had, I am wondering if there is any workaround. What I need is a 2-level ca hierarchy. Thanks - Jeff Jeff Smith wrote: > >

Sorry... PKCS5 cert chain question

Sorry about the last message it was user error on my part. Please disregard the previous message, as it was incomplete. This is the finished version... I'm trying to get a handle on what needs to be done to get a commercial product I just started administrating to provide ssl access to three di

  1   2   >