On 2/25/2013 4:26 AM, Dave Thompson wrote:
From: owner-openssl-us...@openssl.org On Behalf Of Jakob Bohm
Sent: Friday, 22 February, 2013 06:03
On 2/21/2013 2:29 PM, ashish2881 wrote:
I have a certificate chain in a file chain.pem .it also has root
certificate(self signed) .
How can i verify the chain,if all certificates are present
in the chain .
I'm not sure if OP means chain.pem contains the chain certs and the
root cert, or if they have chain.pem and also e.g. root.pem.
I tried to write my answer to work in either case.
I recently tested this myself, and here are my (preliminary) results:
If using the OpenSSL API in a program, you can load the chain
and the CA
cert into two "X509 stores", then loop over the store calling
a function
to validate each certificate in the chain store against the CA store
with options to use the chain store to locate intermediary
certificates.
You can, but you don't need to. As long as you identify which
is the end-entity cert, just X509_verify_cert that against
a store containing (at least) the other certs. OpenSSL will
build the chain from the specified cert to and including
the root, and verify all of it. If there's an error anywhere
and you have a callback set, that will tell you where.
But on the command line, things are unnecessarily difficult.
No, for the same reason. If chain.pem doesn't already contain
the root, add it; either way call the result chainx.pem. If
EE cert is first in chainx.pem, which is fairly common practice,
openssl verify -CAfile chainx.pem chainx.pem takes the *first*
cert from chainx.pem and verifies its full chain (if possible)
from (a store containing) all the other certs in chainx.pem.
If the EE cert isn't first, extract it to entity.pem and
openssl verify -CAfile chainx.pem entity.pem.
The one limitation, implicit above, is "a" chain, singular.
If there is more than one chain above a given cert or subtree --
e.g. Clam-Shack-CA has its own root but also is cross-certified
by Certs-R-Us -- X509_verify_cert can only do one of them per call.
My experience was with GlobalSign certs, they have an old 1024 bit
root and a new 2048 bit root. The 2048 bit root is also cross signed
by the old 1024 bit root to facilitate trust by old browsers that only
include the old root. I was double checking a combined chain file
before installing it on production web servers that need to work in
both scenarios.
The documentation for the openssl command line tools (I have
insufficiently checked the source) are quite vague if including an
intermediary cert in -CAfile and/or -CApath makes it trusted. Most
other SSL/X.509 implementations feature clearly separated stores for
trusted CAs, blacklisted CAs and locally available copies of
intermediary certs, which also makes it easier for end users to deal
with incidents such as the recent scandals with mismanaged intermediary
CAs.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
