[openssl-users] How to prove a Certificate is Signed or not

Michael Wojcik Michael.Wojcik at microfocus.com
Thu May 3 13:03:23 UTC 2018 

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of morthalan
> Sent: Thursday, May 03, 2018 05:51
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] How to prove a Certificate is Signed or not
>
> But In my case, I do not have any root certificate. I have only one signed
> certificate (SignedCertificate.pem) and one certificate signing request
> (certReq.pem) .

To process the CSR and create the entity certificate (what you're calling the "signed certificate", which is redundant, since all certificates are signed), you have to use the CA private key.

The CA private key has a corresponding public key, which you would have generated alongside the private key.

Verifying the signature on the entity certificate requires that public key. The APIs that verify the signature receive the public key as part of the issuer certificate. You *must* have a CA certificate containing the public key that corresponds to the private key (you used to sign the entity certificate) in order to verify the signature on the entity certificate. It's not optional.

Certificate verification also examines other aspects of the certificate used by the issuer to sign the entity certificate, such as its validity dates. So that's another reason why you *must* have the issuer certificate.

But then you can't process a CSR without a CA certificate, because when you issue the entity certificate, it has to refer to the CA certificate used to issue it. So if you've generated an entity certificate, there's a corresponding issuing certificate somewhere.

I would strongly recommend you find an introduction to X.509 PKI somewhere online before proceeding. X.509 is hideously complicated and fraught with difficulties. Trying to code for it without the basic technical background will be an exercise in frustration and likely lead to errors that greatly weaken the security of your application.

--
Michael Wojcik
Distinguished Engineer, Micro Focus

More information about the openssl-users mailing list