X509_build_chain() - Re: Request for Openssl APIs to be used to sort the certificate chain
David von Oheimb
David.von.Oheimb at siemens.com
Tue Oct 10 06:39:47 UTC 2023
On 10.10.23 06:32, Brahmaji K wrote:
> Thanks a lot Viktor and David for your answers.
you are welcome - hopefully they helped.
Note that both answers assume that you already know which ist the first
(i.e., target) cert in the chain - cert 4 in your example.
If it is the only end-entity cert in the list, it is straightforward to
take that.
If this is not the case (maybe because your target cert is a CA cert or
there are multiple EE certs),
in the worst case one would have try out which target cert results in
the longest chain.
> On Tue, Oct 10, 2023 at 1:32 AM Viktor Dukhovni
> <openssl-users at dukhovni.org> wrote:
>
> On Mon, Oct 09, 2023 at 09:45:35PM +0530, Brahmaji K wrote:
>
> > If I got the certificate chain out of order [...], then is there
> a direct way (i.e., with[out?] any openssl API(s)), we can create the
> > certificates chain in the correct order as - Cert 4 || Cert 3 ||
> Cert 2 || Cert 1?
>
> It seems, you're looking for a CLI feature, that would not require
> writing code. That's a missing feature of the openssl-verify(1)
> command.
>
Using cert verification (regardless if at API or CLI level) has the
drawback that it is less efficient than just building the chain.
> It has a `-show_certs` option that prints just the
> distinguished names of the certificates in constructed chain,
> but has no `-print_certs` function that would instead just
> output the constructed chain.
>
> This would make a good entry-level contribution to the OpenSSL
> project.
>
If anyone tackles this, I'd suggest not providing a -print_certs option
but an -out_chain <certfile> option.
David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20231010/a5c84e03/attachment.htm>
More information about the openssl-users
mailing list