Hi, Is there a way in which I can determine the correct issuer certificate of an issued certificate(either intermediate CA or end entity) based on comparing immediate pair alone. Eg: My hierarchy is like this:
Root Intermediate CA 1 Intermediate CA 2 End entity Is it possible to determine that Intermediate CA2 is the issuer of the End entity certificate without having to traverse the full hierarchy? I do not want to depend upon issuername-subjectname comparisons alone(As this is not deterministic and conclusive). I do not want to depend upon Authority Key Identifier /Subject Key Identifier's keyId fields(As most CAs seem to not have this extension at all) Basically I want some signature check method from openSSL can take two certificates as input and tell me if one has issued the other: int openSSL_signature_check(X509* issuer_certificate, X509* issued_certificate) { int return_code = signature_check(issuer_certificate, issued_certificate) if (0 == return_code) return YES_ISSUER_IS_CORRECT; else return NO_ISSUER_IS_NOT_CORRECT; } Is something like this already available in openSSL? One more question: Given a certificate and trust store, openSSL's verify utility currently returns OK in case the verification was successful. Is there a way in which I can retrieve the formed and verified chain of certificates back? -- Ashok