Help required on building certificate chain

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Help required on building certificate chain

luvlee_ghg
Hi experts,

I would like to know if there is any API that takes care of building a certificate chain in openSSL similar to MS API. Also please let me know the basic details on how a certificate chain is verified in openSSL.

Following is my implementation:

                          R o o t C A
                          |            |
                 SUB CA1         SUB CA1(signing key is different than the other one)
                         |
                  Issued Certificate

When the issued certificate is sent for verification, it always fails. I think while building the certificate chain its building with the wrong SUBCA because it finds two of them with the same name. So I would like to know how can a certificate chain built in case if there are two CAs with similar name present in the certificate store. How to use the CA of the Issued certificate to build the chain for verification?


Reply | Threaded
Open this post in threaded view
|

Re: Help required on building certificate chain

Bruno Bonfils-2
On Wed 19 December, luvlee_ghg wrote:
> When the issued certificate is sent for verification, it always fails. I
> think while building the certificate chain its building with the wrong SUBCA
> because it finds two of them with the same name. So I would like to know how
> can a certificate chain built in case if there are two CAs with similar name
> present in the certificate store. How to use the CA of the Issued
> certificate to build the chain for verification?


Do you have AKI/SKI X509v3 extensions in your certificates? I'm not an
expert of openssl internal, but regarding X509_check_issued (defined in
v3_purp.c), openssl can used aki/ski to check the chain of verification.

However, maybe openssl tried the first CA certificate (the bad one),
call check_issued, and doesn't try any others one since an error
occured.


my two cents

--
http://asyd.net/home/   - Home Page
http://guses.org/home/  - French Speaking (Open)Solaris User Group
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Help required on building certificate chain

macescandell
In reply to this post by luvlee_ghg
How are creating the certicate chain. A certificate chain has to start with the subject certificate followed  by an intermediate certificate ... ending in the root certificate. You can do this using cat

Thank You


On Dec 19, 2007 12:18 PM, luvlee_ghg <[hidden email]> wrote:

Hi experts,

I would like to know if there is any API that takes care of building a
certificate chain in openSSL similar to MS API. Also please let me know the
basic details on how a certificate chain is verified in openSSL.

Following is my implementation:

                         R o o t C A
                         |            |
                SUB CA1         SUB CA1(signing key is different than the
other one)
                        |
                 Issued Certificate

When the issued certificate is sent for verification, it always fails. I
think while building the certificate chain its building with the wrong SUBCA
because it finds two of them with the same name. So I would like to know how
can a certificate chain built in case if there are two CAs with similar name
present in the certificate store. How to use the CA of the Issued
certificate to build the chain for verification?



--
View this message in context: http://www.nabble.com/Help-required-on-building-certificate-chain-tp14422191p14422191.html
Sent from the OpenSSL - Dev mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Help required on building certificate chain

Hong Cho
In reply to this post by luvlee_ghg
During the building of the certificate chain, the distinguished names
(DNs) are used to match the issuers and the subjects.  So if two
different certificates (since they are using different keys) have the
same DNs, that would be a problem.

Have you tried including the "correct" intermediate certificate with
the leaf one?  If the verifier decides to pick its own, there probably
nothing you can do, but it might work.

Hong.

On Dec 19, 2007 10:18 AM, luvlee_ghg <[hidden email]> wrote:

>
> Hi experts,
>
> I would like to know if there is any API that takes care of building a
> certificate chain in openSSL similar to MS API. Also please let me know the
> basic details on how a certificate chain is verified in openSSL.
>
> Following is my implementation:
>
>                           R o o t C A
>                           |            |
>                  SUB CA1         SUB CA1(signing key is different than the
> other one)
>                          |
>                   Issued Certificate
>
> When the issued certificate is sent for verification, it always fails. I
> think while building the certificate chain its building with the wrong SUBCA
> because it finds two of them with the same name. So I would like to know how
> can a certificate chain built in case if there are two CAs with similar name
> present in the certificate store. How to use the CA of the Issued
> certificate to build the chain for verification?
>
>
>
> --
> View this message in context: http://www.nabble.com/Help-required-on-building-certificate-chain-tp14422191p14422191.html
> Sent from the OpenSSL - Dev mailing list archive at Nabble.com.
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Help required on building certificate chain

luvlee_ghg
In reply to this post by Bruno Bonfils-2
Thanks all for your valuable info.

Yes, the certificates that I use have AKID and SKID extensions. Right now I think my chain is built based on the issuer name.  I use MS API CertGetCertificateChain to build the certificate chain. I need to modify it to build the chain based on the AKID & SKID of the certificate. Could someone tell me how I can go about it?

Thanks
Harish

Bruno Bonfils-2 wrote
On Wed 19 December, luvlee_ghg wrote:
> When the issued certificate is sent for verification, it always fails. I
> think while building the certificate chain its building with the wrong SUBCA
> because it finds two of them with the same name. So I would like to know how
> can a certificate chain built in case if there are two CAs with similar name
> present in the certificate store. How to use the CA of the Issued
> certificate to build the chain for verification?


Do you have AKI/SKI X509v3 extensions in your certificates? I'm not an
expert of openssl internal, but regarding X509_check_issued (defined in
v3_purp.c), openssl can used aki/ski to check the chain of verification.

However, maybe openssl tried the first CA certificate (the bad one),
call check_issued, and doesn't try any others one since an error
occured.


my two cents

--
http://asyd.net/home/   - Home Page
http://guses.org/home/  - French Speaking (Open)Solaris User Group
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majordomo@openssl.org
Reply | Threaded
Open this post in threaded view
|

Re: Help required on building certificate chain

luvlee_ghg
In reply to this post by macescandell
You are right. A certificate chain is built starting from the subject cert until we find a root certificate i.e; the chain building operation is stopped when a certificate whose issuer and subject name is same.

I found that using authkeyidentifier and subjectkeyid we can build chain. But the question is how to buiild it. I am having a hard time finding it. We use CertGetCertificateChain() microsoft API to build cert chain based on suject and issuer names. But I want to build it using akid and skid. Does anyone knows how to do this or is there any API which I can use.

Thanks

macescandell wrote
How are creating the certicate chain. A certificate chain has to start with
the subject certificate followed  by an intermediate certificate ... ending
in the root certificate. You can do this using *cat*

Thank You


On Dec 19, 2007 12:18 PM, luvlee_ghg <luvlee_ghg@yahoo.com> wrote:

>
> Hi experts,
>
> I would like to know if there is any API that takes care of building a
> certificate chain in openSSL similar to MS API. Also please let me know
> the
> basic details on how a certificate chain is verified in openSSL.
>
> Following is my implementation:
>
>                          R o o t C A
>                          |            |
>                 SUB CA1         SUB CA1(signing key is different than the
> other one)
>                         |
>                  Issued Certificate
>
> When the issued certificate is sent for verification, it always fails. I
> think while building the certificate chain its building with the wrong
> SUBCA
> because it finds two of them with the same name. So I would like to know
> how
> can a certificate chain built in case if there are two CAs with similar
> name
> present in the certificate store. How to use the CA of the Issued
> certificate to build the chain for verification?
>
>
>
> --
> View this message in context:
> http://www.nabble.com/Help-required-on-building-certificate-chain-tp14422191p14422191.html
> Sent from the OpenSSL - Dev mailing list archive at Nabble.com.
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       openssl-dev@openssl.org
> Automated List Manager                           majordomo@openssl.org
>