X509_build_chain() - Re: Request for Openssl APIs to be used to sort the certificate chain
Brahmaji K
brahmaji.k at gmail.com
Tue Oct 10 07:13:49 UTC 2023
Hi David,
>> Note that both answers assume that you already know which ist the first
(i.e., target) cert in the chain - cert 4 in your example.
In our case we only know the root cert but all other certs are given
jumbled and target is to extract the leave cert (target cert) among the
jumbled certs.
On Tue, Oct 10, 2023 at 12:10 PM David von Oheimb via openssl-users <
openssl-users at openssl.org> wrote:
> On 10.10.23 06:32, Brahmaji K wrote:
>
> Thanks a lot Viktor and David for your answers.
>
> you are welcome - hopefully they helped.
>
> Note that both answers assume that you already know which ist the first
> (i.e., target) cert in the chain - cert 4 in your example.
> If it is the only end-entity cert in the list, it is straightforward to
> take that.
> If this is not the case (maybe because your target cert is a CA cert or
> there are multiple EE certs),
> in the worst case one would have try out which target cert results in the
> longest chain.
>
>
> On Tue, Oct 10, 2023 at 1:32 AM Viktor Dukhovni <
> openssl-users at dukhovni.org> wrote:
>
>> On Mon, Oct 09, 2023 at 09:45:35PM +0530, Brahmaji K wrote:
>>
>> > If I got the certificate chain out of order [...], then is there a
>> direct way (i.e., with[out?] any openssl API(s)), we can create the
>> > certificates chain in the correct order as - Cert 4 || Cert 3 || Cert 2
>> || Cert 1?
>>
>> It seems, you're looking for a CLI feature, that would not require
>> writing code. That's a missing feature of the openssl-verify(1)
>> command.
>>
> Using cert verification (regardless if at API or CLI level) has the
> drawback that it is less efficient than just building the chain.
>
> It has a `-show_certs` option that prints just the
>> distinguished names of the certificates in constructed chain,
>> but has no `-print_certs` function that would instead just
>> output the constructed chain.
>>
>> This would make a good entry-level contribution to the OpenSSL project.
>>
> If anyone tackles this, I'd suggest not providing a -print_certs option
> but an -out_chain <certfile> option.
>
> David
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20231010/45928493/attachment.htm>
More information about the openssl-users
mailing list