[openssl-users] How to construct certificate chain when missing intermediate CA
Jerry OELoo
oyljerry at gmail.com
Fri Jan 9 02:45:54 UTC 2015
Hi All:
I am using X509_STORE_CTX_get1_chain() to get web site's full certificate chain.
Now I am encounter an issue that some web site does not return
intermediate CA certificate but only web site leaf certificate.
For example. https://globaltrade.usbank.com
Below is certificate I get.
Subject: /C=US/ST=Minnesota/L=St. Paul/O=U.S.
Bank/OU=ISS/CN=globaltrade.usbank.com
Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of
use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure
Server CA - G3
As my environment missing "VeriSign Class 3 Secure Server CA - G3" certificate.
When open web site in Browsers (Chrome on windows), I can see
certificate chain is built successfully, I think this is because
browser should recognize "VeriSign Class 3 Secure Server CA - G3" this
intermediate CA, and automatically installed crt into system.
So my question is how can I achieve same as browsers with openssl,
with openssl I can get error info. But where can I use program to
download VeriSign G3 certificate and installed automatically, then I
can build full certificate chain.
Peer cert subject[/C=US/ST=Minnesota/L=St. Paul/O=U.S.
Bank/OU=ISS/CN=globaltrade.usbank.com] depth[0] error[20]
Peer cert subject[/C=US/ST=Minnesota/L=St. Paul/O=U.S.
Bank/OU=ISS/CN=globaltrade.usbank.com] depth[0] error[27]
Peer cert subject[/C=US/ST=Minnesota/L=St. Paul/O=U.S.
Bank/OU=ISS/CN=globaltrade.usbank.com] depth[0] error[21]
--
Rejoice,I Desire!
More information about the openssl-users
mailing list