Thanks Jakob. Is this key usage only available in P7b format, when i tried this on CER and P12 format then its not working on them, Crypt API is not able to read extended information about Key Usage. Is the process format specific? I am trying to use CertFindExtension API for this. // Harshvir On Thu, Sep 29, 2011 at 9:42 AM, Jakob Bohm <jb-open...@wisemo.com> wrote:
> You forgot to also check the Key Usage attribute > > IF (CA: TRUE OR Key Usage: Certificate Sign) > If Self Signed > ROOT > Else > Intermediary > Else > If Self Signed > Toy certificate > Else > End use (server / person / company / etc.) > > > > > On 9/29/2011 3:39 PM, Harshvir Sidhu wrote: > >> >> Hey, >> I tried using this method following is the flow. >> >> IF CA: TRUE >> If Self Signed >> ROOT >> else >> Intermediate >> else >> Personal >> >> >> When i try parsing the PKCS7 (.p7b) files, then for Intermediate CA >> Certifites I get that its a personal Certificate? >> >> Is there something different that i need to do for p7b file format? >> Thanks. >> // Harshvir >> >> On Fri, Sep 16, 2011 at 2:33 PM, Jakob Bohm <jb-open...@wisemo.com<mailto: >> jb-open...@wisemo.com>**> wrote: >> >> On 9/16/2011 9:02 PM, Harshvir Sidhu wrote: >> >> I already tried this command, but its not giving any >> information showing wheter its a root certificate or a client >> certificate. >> - Harshvir >> On Fri, Sep 16, 2011 at 1:53 PM, Jakob Bohm >> <jb-open...@wisemo.com <mailto:jb-open...@wisemo.com> >> <mailto:jb-open...@wisemo.com <mailto:jb-open...@wisemo.com>**> >> >> > wrote: >> >> On 9/16/2011 7:58 PM, Harshvir Sidhu wrote: >> >> Hi, >> In openssl is there some method using which i can find >> whether the cerficiate in a file a Client Certificate or a >> CA/Root Certificate? >> - H S >> >> Try the following command, at look for the CA property and >> also see >> if the certificate lists itself or someone else as issuer: >> >> openssl x509 -in somecert.cer -noout -text >somecert.txt >> >> (somecert.txt will then contain a nice human readable >> printout of >> the certificate) >> >> Look for the following three things in somecert.txt: >> >> 1. Look at the "Issuer:" and "Subject:" lines. >> >> If they are identical, this is a self-signed certificate and thus >> either a CA root or a useless test certificate. >> >> If they are different this is either an end certificate (client >> or server) >> or an intermediary CA. >> >> 2. Look under "X509v3 extensions:" for "X509v3 Basic Constraints:". >> >> If it is there and the next line says "CA:TRUE", it is a CA. >> >> If it is there and the next line says "CA:FALSE", it is >> an end certifcate (client or server). >> >> If it is not there, and the next item below is not there >> either, it is >> an end certificate (client or server). >> >> 3. Look under "X509v3 extensions:" for "X509v3 Key Usage:". >> >> If it is there and the next line includes the phrase >> "Certificate Sign", it is a CA. >> >> If it is there and the next line does not include the phrase >> "Certificate Sign", >> it is an end certificate (client or server). >> >> If it is not there, and the item above is not there either, it is >> an end certificate (client of server). >> >> >> >> >> ______________________________ ______________________________ >> __________ >> OpenSSL Project http://www.openssl.org <http://www.openssl.org/> >> >> User Support Mailing List openssl-users@openssl.org >> <mailto:openssl-users@openssl.**org <openssl-users@openssl.org>> >> Automated List Manager majord...@openssl.org >> <mailto:majord...@openssl.org> >> >> >> > ______________________________**______________________________**__________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
