[openssl-users] verify certificate chain (in memory)
ls00722 at yahoo.com
Sun Mar 6 00:56:03 UTC 2016
I haven't tried that. In the command line:
openssl verify -CAfile root.cert inter.crt
That means intermediate cert can be verified with root cert, so as a first step i try to perform this two level verify with C program. but it failed.
If I combine the server's cert and intermediate into single file, and use d2i_X509(), would it return a china of certificates then?
I will try it. But I still concern why intermediate cert verification would fail.
----- Original Message -----
From: Ángel González <angel at tls.16bits.net>
To: openssl-users at openssl.org
Sent: Saturday, March 5, 2016 8:44 AM
Subject: Re: [openssl-users] verify certificate chain (in memory)
Lei Sun wrote:
> In my project I need to verify certificate chain sent from server.
> The chain has root->inter mediate -> server, 3 level chain. The
> server certificate files can be verified by "openssl verify" command:
> openssl verify -CAfile root.crt server.crt
> But I had to combine the root cert and intermediate cert into single
> file, to verify the whole chain via command line.
Have you tried combining the intermediate and the server cert into a
single file? That should work, and is more akin to the actual behavior
(the server sends its certificate plus any intermediates, and the
client should only need the root).
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
More information about the openssl-users