You forgot to also check the Key Usage attribute
IF (CA: TRUE OR Key Usage: Certificate Sign)
If Self Signed
ROOT
Else
Intermediary
Else
If Self Signed
Toy certificate
Else
End use (server / person / company / etc.)
On 9/29/2011 3:39 PM, Harshvir Sidhu wrote:
Hey,
I tried using this method following is the flow.
IF CA: TRUE
If Self Signed
ROOT
else
Intermediate
else
Personal
When i try parsing the PKCS7 (.p7b) files, then for Intermediate CA
Certifites I get that its a personal Certificate?
Is there something different that i need to do for p7b file format?
Thanks.
// Harshvir
On Fri, Sep 16, 2011 at 2:33 PM, Jakob Bohm <jb-open...@wisemo.com
<mailto:jb-open...@wisemo.com>> wrote:
On 9/16/2011 9:02 PM, Harshvir Sidhu wrote:
I already tried this command, but its not giving any
information showing wheter its a root certificate or a client
certificate.
- Harshvir
On Fri, Sep 16, 2011 at 1:53 PM, Jakob Bohm
<jb-open...@wisemo.com <mailto:jb-open...@wisemo.com>
<mailto:jb-open...@wisemo.com <mailto:jb-open...@wisemo.com>>
> wrote:
On 9/16/2011 7:58 PM, Harshvir Sidhu wrote:
Hi,
In openssl is there some method using which i can find
whether the cerficiate in a file a Client Certificate or a
CA/Root Certificate?
- H S
Try the following command, at look for the CA property and
also see
if the certificate lists itself or someone else as issuer:
openssl x509 -in somecert.cer -noout -text >somecert.txt
(somecert.txt will then contain a nice human readable
printout of
the certificate)
Look for the following three things in somecert.txt:
1. Look at the "Issuer:" and "Subject:" lines.
If they are identical, this is a self-signed certificate and thus
either a CA root or a useless test certificate.
If they are different this is either an end certificate (client
or server)
or an intermediary CA.
2. Look under "X509v3 extensions:" for "X509v3 Basic Constraints:".
If it is there and the next line says "CA:TRUE", it is a CA.
If it is there and the next line says "CA:FALSE", it is
an end certifcate (client or server).
If it is not there, and the next item below is not there
either, it is
an end certificate (client or server).
3. Look under "X509v3 extensions:" for "X509v3 Key Usage:".
If it is there and the next line includes the phrase
"Certificate Sign", it is a CA.
If it is there and the next line does not include the phrase
"Certificate Sign",
it is an end certificate (client or server).
If it is not there, and the item above is not there either, it is
an end certificate (client of server).
______________________________ ______________________________
__________
OpenSSL Project http://www.openssl.org <http://www.openssl.org/>
User Support Mailing List openssl-users@openssl.org
<mailto:openssl-users@openssl.org>
Automated List Manager majord...@openssl.org
<mailto:majord...@openssl.org>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
