[openssl-users] verify certificate chain (in memory)

Lei Sun ls00722 at yahoo.com
Sun Mar 6 00:56:03 UTC 2016


Hi :
  I haven't tried that. In the command line:

openssl verify -CAfile root.cert inter.crt 
OK.
That means intermediate cert can be verified with root cert, so as a first step i try to perform this two level verify with C program. but it failed. 

If I combine the server's cert and intermediate into single file, and use d2i_X509(), would it return a china of certificates then?

I will try it. But I still concern why intermediate cert verification would fail. 

Thanks
Lei 


----- Original Message -----
From: Ángel González <angel at tls.16bits.net>
To: openssl-users at openssl.org
Sent: Saturday, March 5, 2016 8:44 AM
Subject: Re: [openssl-users] verify certificate chain (in memory)

Lei Sun wrote:

> Hi:
>   In my project I need to verify certificate chain sent from server.
> The chain has root->inter mediate -> server, 3 level chain. The
> server certificate files can be verified by "openssl verify" command:
> 
> openssl verify -CAfile root.crt server.crt
> OK.
> 
> But I had to combine the root cert and intermediate cert into single
> file, to verify the whole chain via command line.

Have you tried combining the intermediate and the server cert into a
single file? That should work, and is more akin to the actual behavior
(the server sends its certificate plus any  intermediates, and the
client should only need the root).

Kind regards

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


More information about the openssl-users mailing list