Thanks all for your valuable info. Yes, the certificates that I use have AKID and SKID extensions. Right now I think my chain is built based on the issuer name. I use MS API CertGetCertificateChain to build the certificate chain. I need to modify it to build the chain based on the AKID & SKID of the certificate. Could someone tell me how I can go about it?
Thanks Harish Bruno Bonfils-2 wrote: > > On Wed 19 December, luvlee_ghg wrote: >> When the issued certificate is sent for verification, it always fails. I >> think while building the certificate chain its building with the wrong >> SUBCA >> because it finds two of them with the same name. So I would like to know >> how >> can a certificate chain built in case if there are two CAs with similar >> name >> present in the certificate store. How to use the CA of the Issued >> certificate to build the chain for verification? > > > Do you have AKI/SKI X509v3 extensions in your certificates? I'm not an > expert of openssl internal, but regarding X509_check_issued (defined in > v3_purp.c), openssl can used aki/ski to check the chain of verification. > > However, maybe openssl tried the first CA certificate (the bad one), > call check_issued, and doesn't try any others one since an error > occured. > > > my two cents > > -- > http://asyd.net/home/ - Home Page > http://guses.org/home/ - French Speaking (Open)Solaris User Group > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [email protected] > Automated List Manager [EMAIL PROTECTED] > > -- View this message in context: http://www.nabble.com/Help-required-on-building-certificate-chain-tp14422191p14440838.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
