[openssl-users] How to prove a Certificate is Signed or not

Viktor Dukhovni openssl-users at dukhovni.org
Thu May 3 15:11:23 UTC 2018



> On May 3, 2018, at 3:06 AM, Anil kumar Reddy <morthalaanilreddy at gmail.com> wrote:
> 
> The issue is:
> I am unable to find out the exact command lines or c/c++ program functions to prove the SignedCertificate.pem is signed or not. I have spent more than one day on researching, but I am end up with confusion. I do not have any digital certificate chain. 

To verify the signature on a single certificate using a known issuer
public key you call:

	X509_verify(X509 *cert, EVP_PKEY *pkey)

with return values <= 0 indicating failure.  To verify a certificate
chain against a set of trust anchors you call:

	X509_verify_cert(X509_STORE_CTX *ctx)

where "ctx" is populated with the certificate chain, trust anchors,
CRLs, verification parameters, including some types of subject names
to check...  This is what most applications use to check that something
is signed by a trusted certificate with the right identity and purpose.

-- 
	Viktor.



More information about the openssl-users mailing list