Basically, certificate is a public key (KEY 1) signed by another key
(KEY 2).
If there exist a certificate for the second key (KEY 2) signed by a third
key (KEY 3) then we have a "certificates chain":
cert(KEY 1) <-- cert(KEY 2) <-- cert(KEY 3)
wher "A <-- B" means "A is signed by B". Of course, there could be more
than
three certificates/keys in the chain:
cert(KEY 1) <-- cert(KEY 2) <-- .....<--cert(KEY N)
The original certificate cert(KEY 1) for KEY 1 is valid if and only if:
1) each certificate cert(KEY i) in the chain is signed by the key
from next
certificate cert(KEY i+1)
2) all certificates in the chain have valid signatures
3) the last certificate cert(KEY N) is "trusted" (because nothing
validates it!).
Usually (but not necessary!) the last certificate cert(KEY N) contains
the public key of root certificates authority (like Verisign, etc.)
signed by its
private key.
Aleksey Sanin
XML Security Library <http://www.aleksey.com/xmlsec>
Aleix Conchillo wrote:
>hi all,
>
>
>can anyone explain me what exactly a chain is? i'm doing a really basic
>wrapper of OpenSSL for C++ at work, and i was doing the pkcs12 stuff. I
>can already construct a pkcs12 from a user certificate, his private key
>and a list of extra certificates files (like the -certfile option). And i
>was wondering what the -chain option is. I have had a look at the
>pkcs12.c application but i really don't understand that part, is just
>that i don't know the concept.
>
>any help would be appreciated.
>
>best regards,
>
>aleix
>______________________________________________________________________
>OpenSSL Project http://www.openssl.org
>User Support Mailing List [EMAIL PROTECTED]
>Automated List Manager [EMAIL PROTECTED]
>
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
