Re: check certificate chain in a pem file

Fri, 22 Feb 2013 03:03:59 -0800 

On 2/21/2013 2:29 PM, ashish2881 wrote:

I have a certificate chain in a file chain.pem .it also has root
certificate(self signed) .
How can i verify the chain,if all certificates are present in the chain .

Thanks




Good question!

I recently tested this myself, and here are my (preliminary) results:
If using the OpenSSL API in a program, you can load the chain and the CA cert into two "X509 stores", then loop over the store calling a function to validate each certificate in the chain store against the CA store with options to use the chain store to locate intermediary certificates. 

But on the command line, things are unnecessarily difficult.

Here is what you need to do:

1. Split the chain file into one file per certificate, noting the order

2. For each certificate starting with the one above root:
2.1 Concatenate all the previous certificates and the root certificate to one temporary file (This example is for when you are checking the 
third certifate from the bottom, having already checked cert1.pem and
cert2.pem

   Unix:    cat cert2.pem cert1.pem root.pem > cert2-chain.pem
   Windows: copy /A cert1.pem+cert1.pem+root.pem cert2-chain.pem /A

2.2 Run this command

            openssl verify -CAfile cert2-chain.pem cert3.pem

2.3 If this is OK, proceed to the next one (cert4.pem in this case)

Thus for the first round through the commands would be

  Unix:     cat root.pem > root-chain.pem
  Windows:  copy /A root.pem root-chain.pem
  Both:     openssl verify -CAfile root-chain.pem cert1.pem

And the second round would be

  Unix:     cat cert1.pem root.pem > cert1-chain.pem
  Windows:  copy /A cert1.pem+root.pem cert1-chain.pem
  Both:     openssl verify -CAfile cert1-chain.pem cert2.pem

Etc.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to