Hello Jehan: In answer to your question on certificate path construction, there is, in fact, a standard - first of all, this is now collectively known as Path Discovery and Validation, and the canonical algorithm for a PKIX compliant PKI is in RFC5280 (a previous, and slightly more ambiguous algorithm is in RFC3280). Second, there are several implementations - take a look at the NIST PDVal working group. If you are running Unix, then you may be able to use Pathfinder (full disclosure - it is a project sponsored by my company), and have it handle your trust fabric resolution:
http://code.google.com/p/pathfinder-pki/ As for how to correctly build the profiles for PKI, given that you are in France, I would suggest contacting the PRIS, and they have published a compendium of the profiles that are suggested for doing PKI in France. For other jurisdictions, you may want to take a look at the profiles published in the Certificate Policies of the US Federal Bridge CA, the Canadian Government PKI, CertiPath, and SAFE. Have fun. Patrick. jehan procaccia wrote: > hello, > in a recent thread on this list about "add extension to an existing > (signed) CA certificate" I was wondering how openssl software validate a > certificate chain. > jehan procaccia wrote : >> Can someone tell me how SSL clients check/verify a 3 level hierarchie ? >> is it based on extension authorityKeyIdentifier ? >> At a specific level (1/2/3) it must match keyid ? and /or issuer >> (DirName humane readable ) ? and/or serial of it's near (just above) >> parent ? >> is this procedure clarified somewhere ? > I finally found this presentation: > http://www.oasis-pki.org/pdfs/Understanding_Path_construction-DS2.pdf > which starts by telling > "The certification path construction process has not been standardized, > and there is very little published information available" > > Well, since that publication date from 2002, I wonder if there are new > recomandation/practice and perhaps real standard way to build and verify > a certification path nowdays? > > From that same thread ("add extension to an existing (signed) CA > certificate") you would understand that my actual PKI root-ca probably > needs to be re-builded from scratch (sub-sub-ca and all leaf certs :-( > as well ) beacause is lacks "basic constraint CA:TRUE" at the root . > so I want this time to start on good practice , notably for the > extensions . > Root-CA shoud have: (idem for sub-ca ?) > > [ROOT_CA] > nsComment = "root CA" > subjectKeyIdentifier = hash > #authorityKeyIdentifier = keyid:always,issuer#? maybe not that > one for root-ca, only for sub-ca > basicConstraints = critical,CA:TRUE > keyUsage = keyCertSign, cRLSign > > Thanks. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
