Hi Mayur, I have used openssl program named verify like this: openssl verify -CApath /path/to/symbolic/links/folder -CAfile /path/to/PEM/encoded.file certificate.cer
this coomand verifies the certificate stored in certifictae.cer against the certificates found in /path/to/symbolic/links/folder and in /path/to/PEM/encoded.file. In order to get the same functionality via OpenSSL API you may have a look at the source code of verify program which may be found in /openssl-1.0.0d/apps/verify.c Regards, Ciprian On Mon, Jul 18, 2011 at 6:38 AM, Mayur Premi <premi.ma...@gmail.com> wrote: > Hi Ciprian, > > Thanks for the immediate reply . > I have some questions on both the approaches suggested. > > > You can create a file where you may concatenate all your trusted > certificates in PEM format and use that file for verification. > > [Mayur]--- Is there any openSSL api which helps parsing this file[say > myStorageFile] which has all my root certificates in it. ? > Also my intention as mentioned in the scenario in previous mail is that > I ll be passing a chain A -->B and would like to find C [self signed ,root > certificate] from myStorageFile . > * > * > Another way is to store your trusted certificates in PEM format in > filesystem and create a folder from where you create symbolic links to every > certificate. The symbolic link name should be named as <HASH>.0. <HASH> can > be obtained from the certificate using -hash option like: > openssl x509 -in root.cer -hash > > [Mayur]----After storing links to my PEM format Certificate files how > do I parse the folder having links to get root C for my chain A -->B ? > > > Regards, > Mayur > > > > On Fri, Jul 15, 2011 at 10:05 PM, Ciprian Pavel > <ciprian.pa...@gmail.com>wrote: > >> Hi Mayur, >> >> You can create a file where you may concatenate all your trusted >> certificates in PEM format and use that file for verification. >> Another way is to store your trusted certificates in PEM format in >> filesystem and create a folder from where you create symbolic links to every >> certificate. The symbolic link name should be named as <HASH>.0. <HASH> can >> be obtained from the certificate using -hash option like: >> openssl x509 -in root.cer -hash >> >> If you need CRL checking the same procedure can be applied with the >> exception that the symbolic link name has to be <HASH>.r0. >> >> >> Regards, >> Ciprian >> >> >> On Fri, Jul 15, 2011 at 3:01 PM, Mayur Premi <premi.ma...@gmail.com>wrote: >> >>> Hi , >>> I am using openssl for signature verification of the files in my >>> application. >>> For supporting multiple root certificates , Is there a db or storage >>> area[file] which openssl searches >>> while finding the root of the passed input certificates ? >>> >>> I am using X509_Verify_cert api of openssl to verify certificates. >>> >>> The scenario is as below : >>> Say I have 2 certificates A and B in my application , A's Issuer is B and >>> B 's issuer is C. >>> Here C is the [self signed] root certificate. Can I store C somewhere in >>> openssl and find it >>> to complete the chain A-->B-->C >>> >>> Regards, >>> Mayur >> >> >> >
