> From: owner-openssl-us...@openssl.org On Behalf Of ashish2881 > Sent: Wednesday, 27 February, 2013 06:05
> I have a .pem file say : chain.pem > chain.pem == server certificate-> intermediate CA certificate > -> self signed root certificate . > > Now i am writing the code in C using opensl Api's to verify > this (chain.pem) chain . > filename ======> chain.pem > Currently I am doing like this : > SSL_CTX *sslctx = NULL; > STACK_OF(X509)* ca_stack = NULL ; > sslctx = SSL_CTX_new(SSLv23_server_method()); > > BIO_new(BIO_s_file_internal()); > x =PEM_read_bio_X509 Aside: if your server cert is reliably the first one in chain.pem, you could just use the first entry in ca_stack below instead of doing a separate read. > store=X509_STORE_new > vrfy_ctx = X509_STORE_CTX_new(); > SSL_CTX_use_certificate_chain_file(sslctx, filename) > ca_stack = sslctx->extra_certs > X509_STORE_CTX_init(vrfy_ctx, NULL, x, ca_stack) > X509_verify_cert(vrfy_ctx) > > ---i am seeing error while doing this .....am i doing > everything right ..... > To have verify_cert succeed it must find the root in the 'store' provided to _CTX_init (which you left NULL), or in separately set _trusted_chain . You *may* also have intermediate certs in either of those places instead of, or in addition to, the (untrusted) 'chain'. So it's easiest to just provide all of ca_stack as trusted; or load the file into sslctx->store with _load_verify_locations (instead of extra_certs with _use_certificate_chain_file) and use _get_cert_store as your store. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
