Derving the root CA's cert from a given SSL cert

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Derving the root CA's cert from a given SSL cert

Davy Durham
Hi,
  I was wondering if it's possible to derive (or extract?) the root CA's
cert from an given SSL cert using openssl.

What I mean by "root CA's cert" is the certficate that would be
installed in a browsers list of trusted CAs.

For instance if I have an SSL certificate signed by verisign, I would
like to get verisign's certificate out of that cert that would have to
be in the browser's trusted list (for it to be trust).


Is this possible?

Thanks,
  Davy

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Derving the root CA's cert from a given SSL cert

Joseph Oreste Bruni
No (with qualifications). If the server sends you the entire  
certificate chain, then yes you can retrieve the root certificate  
since it was sent to you.

If the server only sends you it's certificate, then all you have is  
the server's pubic key digitally signed by the issuer. The issuer's  
certificate is not embedded within.


On Jun 1, 2005, at 11:01 AM, Davy Durham wrote:

> Hi,
>  I was wondering if it's possible to derive (or extract?) the root  
> CA's cert from an given SSL cert using openssl.
>
> What I mean by "root CA's cert" is the certficate that would be  
> installed in a browsers list of trusted CAs.
>
> For instance if I have an SSL certificate signed by verisign, I  
> would like to get verisign's certificate out of that cert that  
> would have to be in the browser's trusted list (for it to be trust).
>
>
> Is this possible?
>
> Thanks,
>  Davy
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>


smime.p7s (3K) Download Attachment