On 2/21/2013 2:29 PM, ashish2881 wrote:
I have a certificate chain in a file chain.pem .it also has root
certificate(self signed) .
How can i verify the chain,if all certificates are present in the chain .
Thanks
Good question!
I recently tested this myself, and here are my (preliminary) results:
If using the OpenSSL API in a program, you can load the chain and the CA
cert into two "X509 stores", then loop over the store calling a function
to validate each certificate in the chain store against the CA store
with options to use the chain store to locate intermediary certificates.
But on the command line, things are unnecessarily difficult.
Here is what you need to do:
1. Split the chain file into one file per certificate, noting the order
2. For each certificate starting with the one above root:
2.1 Concatenate all the previous certificates and the root certificate
to one temporary file (This example is for when you are checking the
third certifate from the bottom, having already checked cert1.pem and
cert2.pem
Unix: cat cert2.pem cert1.pem root.pem > cert2-chain.pem
Windows: copy /A cert1.pem+cert1.pem+root.pem cert2-chain.pem /A
2.2 Run this command
openssl verify -CAfile cert2-chain.pem cert3.pem
2.3 If this is OK, proceed to the next one (cert4.pem in this case)
Thus for the first round through the commands would be
Unix: cat root.pem > root-chain.pem
Windows: copy /A root.pem root-chain.pem
Both: openssl verify -CAfile root-chain.pem cert1.pem
And the second round would be
Unix: cat cert1.pem root.pem > cert1-chain.pem
Windows: copy /A cert1.pem+root.pem cert1-chain.pem
Both: openssl verify -CAfile cert1-chain.pem cert2.pem
Etc.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org