Doubt regarding x509_verify_cert

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Doubt regarding x509_verify_cert

Suram Chandra Sekhar
Hi,
I have a doubt regarding the x509_verify_cert.

I used openssl to generate two Root CA certificates (Self signed)  say Root
CA1, Root CA2.  I got two self-certificates say SelfCert1 from Root CA1 and
SelfCert2 from Root CA2.

In an effort to simulate a bridge CA, one more root CA is generated say
BridgeCA.  I simulated a cross certification to RootCA1 by BridgeCA (Say
CCofRootCA1ByBridgeCA with Issuer as BridgeCA, Subject: RootCA1, PubKey of
RootCA1).

Now I try to verfiy SelfCert1, CCofRootCA1ByBridgeCA, BridgeCA using
x509_verify_cert.  This function is throwing an error saying "unable to
find the local issuer cert" for SelfCert1.

My question is
1.  Is the above scenario correct.
2. If so why should it fail.
    I expect it to work because The issuer name of SelfCert1(RootCA1) is
the subject name in CCofRootCA1ByBridgeCA whose IssuerName, BridgeCA is the
subjectName in BridgeCA which is self-signed.

Awaiting your valuable responses...

Regards
Suram


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Doubt regarding x509_verify_cert

Kiyoshi Watanabe
The Bridge CA is a CA(hub) to bridge the two different CAs, so no need to
have a Self-signed certificate for BridgeCA.

If you are relying party in Root CA1 domain and if you want to create a
certificate path, you will probably have:
SelfCert1byRootCA1, CrossCertFromRootCA1toBridgeCA,
CrossCertFromBridgeCAtoRootCA2, UserCertByRootCA2

----- Original Message -----
From: "Suram Chandra Sekhar" <[hidden email]>
To: <[hidden email]>
Sent: Friday, December 09, 2005 10:22 PM
Subject: Doubt regarding x509_verify_cert


> Hi,
> I have a doubt regarding the x509_verify_cert.
>
> I used openssl to generate two Root CA certificates (Self signed)  say
> Root CA1, Root CA2.  I got two self-certificates say SelfCert1 from Root
> CA1 and SelfCert2 from Root CA2.
>
> In an effort to simulate a bridge CA, one more root CA is generated say
> BridgeCA.  I simulated a cross certification to RootCA1 by BridgeCA (Say
> CCofRootCA1ByBridgeCA with Issuer as BridgeCA, Subject: RootCA1, PubKey of
> RootCA1).
>
> Now I try to verfiy SelfCert1, CCofRootCA1ByBridgeCA, BridgeCA using
> x509_verify_cert.  This function is throwing an error saying "unable to
> find the local issuer cert" for SelfCert1.
>
> My question is
> 1.  Is the above scenario correct.
> 2. If so why should it fail.
>    I expect it to work because The issuer name of SelfCert1(RootCA1) is
> the subject name in CCofRootCA1ByBridgeCA whose IssuerName, BridgeCA is
> the subjectName in BridgeCA which is self-signed.
>
> Awaiting your valuable responses...
>
> Regards
> Suram
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
>


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]