[openssl-users] How to construct certificate chain when missing intermediate CA

Jakob Bohm jb-openssl at wisemo.com
Fri Jan 9 12:30:25 UTC 2015 

On 09/01/2015 03:45, Jerry OELoo wrote:
> Hi All:
> I am using X509_STORE_CTX_get1_chain() to get web site's full certificate chain.
> Now I am encounter an issue that some web site does not return
> intermediate CA certificate but only web site leaf certificate.
>
> For example. https://globaltrade.usbank.com
>
> Below is certificate I get.
>
> Subject: /C=US/ST=Minnesota/L=St. Paul/O=U.S.
> Bank/OU=ISS/CN=globaltrade.usbank.com
> Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of
> use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure
> Server CA - G3
>
> As my environment missing "VeriSign Class 3 Secure Server CA - G3" certificate.
>
> When open web site in Browsers (Chrome on windows), I can see
> certificate chain is built successfully, I think this is because
> browser should recognize "VeriSign Class 3 Secure Server CA - G3" this
> intermediate CA, and automatically installed crt into system.
>
> So my question is how can I achieve same as browsers with openssl,
> with openssl I can get error info. But where can I use program to
> download VeriSign G3 certificate and installed automatically, then I
> can build full certificate chain.
>
> Peer cert subject[/C=US/ST=Minnesota/L=St. Paul/O=U.S.
> Bank/OU=ISS/CN=globaltrade.usbank.com] depth[0] error[20]
> Peer cert subject[/C=US/ST=Minnesota/L=St. Paul/O=U.S.
> Bank/OU=ISS/CN=globaltrade.usbank.com] depth[0] error[27]
> Peer cert subject[/C=US/ST=Minnesota/L=St. Paul/O=U.S.
> Bank/OU=ISS/CN=globaltrade.usbank.com] depth[0] error[21]
>
>
The trick is that many (not all) certificates now include an
"AuthorityInformation Access" (AIA) extension which
(optionally) gives a download URL for the next certificate
in the chain in case the browser does not have a local copy.
This is the same extension which also (in another optional
field) provides the URL of an OCSP revocation checking
server.

So in some clients (at least Internet Explorer 9+), the
procedure for each certificate is:

1. Using the full Issuer DN (which is a complex ASN.1
structure), put them in the same form (already done
because that part of the certificate has to be in the
strict DER format), then do a binary compare for
identity against the full Subject DN in all the
certificates received from the other end.

2. If this fails, do the same against all the
certificates in your local catalog of trusted root CAs.

3. If this fails, do the same against all the certificates
in your local catalog of known Intermediary CAs.

4. If this fails, do the same against all the certificates
in your local cache of previously downloaded certificates.

5. If this fails, look for an AIA extension in the cert
and check if that extension includes a certificate
download URL, then download from that URL to an in memory
variable.  If the validation ultimately succeeds, save
that downloaded certificate from memory to your local
cache.

OpenSSL 1.0.1 and older include functions to do steps 1
(if the other end sent the certificates in the order
needed) and 2.  That code may be coerced into doing steps
3 and 4 by putting the intermediary certificates into the
root store and checking if a certificate is self-signed
to decide if it is trusted or just a potentially
unverified intermediary.

OpenSSL 1.0.2 beta apparently includes better code for
most of these steps than 1.0.1.

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list