Well, I think I've figured it out by myself now. I found
and read some information about the way Windows verifies
certificates (trying to build a certificate chain with
the certificates from its "trusted" store(s), assigning
preference values to the chains found, and such). It occured
to me that the certificate chain one sometimes sees when
looking at a certificate file in Windows comes from that
process, rather than from the file itself. Remember, I had a
personal certificate "cert1", signed by a CA whose public key
I had in a different certificate "cert2", which in turn was
signed by a root CA whose public key I had in another, self-
signed certificate "cert3". Now, importing "cert2" into some
certificate store under Windows (I chose "Intermediate CAs")
and then double-clicking on my personal certificate "cert1",
I indeed saw it as part of a chain with "cert2" on top. In
the chain, "cert1" was deemed "OK", while for "cert2", "the
issuer of this certificate could not be found". Of course,
cert2's issuer field contained a DN for which I did not yet
have a certificate in my stores. So I imported "cert3" into
"Trusted Root CAs", and then double-clicking on the same old
"cert1" files brings up a three-part chain ending in "cert3",
with all members being just "OK".
So Microsoft, trying to be "clever" again, seems to have fooled
me into thinking the chain could be in the file, whereas
now I know it isn't in my example file and I suspect it can
never be. If anyone can confirm this, I'd be interested. Using
Windows, I can of course export the whole certificate chain
into a PKCS#7 file, and that is something openssl seems to
be missing - a command to build PKCS#7 files from a list of
certificates, all that "openssl pkcs7" seems able to do is
convert an existing file between DER and PEM formats. And I
haven't found another command with that functionality. Maybe
you would want to expand openssl there.
Anyway, thanks for your attention.
Sebastian
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
