How to prove a Certificate is Signed or not

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

How to prove a Certificate is Signed or not

morthalan
Hi everyone,

I am new to opennssl and now I am completely confused. Please help me out to solve my issue.

I have implemented a code to sign the given CSR certificate (certReq.pem), then generate openssl signed Certificate (SignedCertificate.pem) using the details of certReq,pem. The code is like self signing, but I have added new functions to enter additional issuer details. Now I have two private keys one from CA, another from CSR, one CSR (certReq.pem) and Signed Certificate (SignedCertificate.pem). In SignedCertificate.pem, the subject details and the issuer details are different. There is no problem with codes.

The issue is:
I am unable to find out the exact command lines or c/c++ program functions to prove the SignedCertificate.pem is signed or not. I have spent more than one day on researching, but I am end up with confusion. I do not have any digital certificate chain. 


Could anyone kindly provide any information regarding this. 

Thanks in advance,

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to prove a Certificate is Signed or not

d3x0r
https://github.com/d3x0r/sack.vfs/blob/master/src/tls_interface.cc#L1538 this routine does cert validation but I don't thkn that's what you want


which boils down to....
SSL_get_peer_certificate ,  SSL_get_verify_result

On Thu, May 3, 2018 at 12:06 AM, Anil kumar Reddy <[hidden email]> wrote:
Hi everyone,

I am new to opennssl and now I am completely confused. Please help me out to solve my issue.

I have implemented a code to sign the given CSR certificate (certReq.pem), then generate openssl signed Certificate (SignedCertificate.pem) using the details of certReq,pem. The code is like self signing, but I have added new functions to enter additional issuer details. Now I have two private keys one from CA, another from CSR, one CSR (certReq.pem) and Signed Certificate (SignedCertificate.pem). In SignedCertificate.pem, the subject details and the issuer details are different. There is no problem with codes.

The issue is:
I am unable to find out the exact command lines or c/c++ program functions to prove the SignedCertificate.pem is signed or not. I have spent more than one day on researching, but I am end up with confusion. I do not have any digital certificate chain. 


Could anyone kindly provide any information regarding this. 

Thanks in advance,

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to prove a Certificate is Signed or not

morthalan
This post was updated on .
No, technically not. I am just searching for a simple method just to check a
certificate is signed by CA or not.
Because. Something like signing check, I am not quite sure, I do not have
proper knowledge on Openssl.


d3x0r wrote
> https://github.com/d3x0r/sack.vfs/blob/master/src/tls_interface.cc#L1538
> this routine does cert validation but I don't thkn that's what you want
>
> this verified on a connection....
> https://github.com/d3x0r/SACK/blob/master/src/netlib/ssl_layer.c#L274
>
> which boils down to....
> SSL_get_peer_certificate ,  SSL_get_verify_result
>
> On Thu, May 3, 2018 at 12:06 AM, Anil kumar Reddy <

> morthalaanilreddy@

>> wrote:
>
>> Hi everyone,
>>
>> I am new to opennssl and now I am completely confused. Please help me out
>> to solve my issue.
>>
>> I have implemented a code to sign the given CSR certificate
>> (certReq.pem),
>> then generate openssl signed Certificate (SignedCertificate.pem) using
>> the
>> details of certReq,pem. The code is like self signing, but I have added
>> new
>> functions to enter additional issuer details. Now I have two private keys
>> one from CA, another from CSR, one CSR (certReq.pem) and Signed
>> Certificate
>> (SignedCertificate.pem). In SignedCertificate.pem, the subject details
>> and
>> the issuer details are different. There is no problem with codes.
>>
>> The issue is:
>> I am unable to find out the exact command lines or c/c++ program
>> functions
>> to prove the SignedCertificate.pem is signed or not. I have spent more
>> than
>> one day on researching, but I am end up with confusion. I do not have any
>> digital certificate chain.
>>
>>
>> Could anyone kindly provide any information regarding this.
>>
>> Thanks in advance,
>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to prove a Certificate is Signed or not

d3x0r
In reply to this post by d3x0r
Or using the javascript interface



if( vfs.TLS.validate( {cert:signedCert3, chain:signedCert2+cert} ) )
    console.log( "Chain is valid." );

On Thu, May 3, 2018 at 12:36 AM, J Decker <[hidden email]> wrote:
https://github.com/d3x0r/sack.vfs/blob/master/src/tls_interface.cc#L1538 this routine does cert validation but I don't thkn that's what you want


which boils down to....
SSL_get_peer_certificate ,  SSL_get_verify_result

On Thu, May 3, 2018 at 12:06 AM, Anil kumar Reddy <[hidden email]> wrote:
Hi everyone,

I am new to opennssl and now I am completely confused. Please help me out to solve my issue.

I have implemented a code to sign the given CSR certificate (certReq.pem), then generate openssl signed Certificate (SignedCertificate.pem) using the details of certReq,pem. The code is like self signing, but I have added new functions to enter additional issuer details. Now I have two private keys one from CA, another from CSR, one CSR (certReq.pem) and Signed Certificate (SignedCertificate.pem). In SignedCertificate.pem, the subject details and the issuer details are different. There is no problem with codes.

The issue is:
I am unable to find out the exact command lines or c/c++ program functions to prove the SignedCertificate.pem is signed or not. I have spent more than one day on researching, but I am end up with confusion. I do not have any digital certificate chain. 


Could anyone kindly provide any information regarding this. 

Thanks in advance,

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to prove a Certificate is Signed or not

Richard Levitte - VMS Whacker-2
In reply to this post by morthalan
openssl verify -CAfile your_ca_cert.pem SignedCertificate.pem

Hope that helped

Cheers,
Richard

In message <[hidden email]> on Thu, 3 May 2018 01:23:19 -0700 (MST), morthalan <[hidden email]> said:

morthalaanilreddy> No, technically not. I am just searching for a simple method just to check a
morthalaanilreddy> certificate is signed by CA or not.
morthalaanilreddy> Because. Something like signing check, I am not quite sure, I do not have
morthalaanilreddy> proper knowledge on Openssl.
morthalaanilreddy>
morthalaanilreddy>
morthalaanilreddy> d3x0r wrote
morthalaanilreddy> > https://github.com/d3x0r/sack.vfs/blob/master/src/tls_interface.cc#L1538
morthalaanilreddy> > this routine does cert validation but I don't thkn that's what you want
morthalaanilreddy> >
morthalaanilreddy> > this verified on a connection....
morthalaanilreddy> > https://github.com/d3x0r/SACK/blob/master/src/netlib/ssl_layer.c#L274
morthalaanilreddy> >
morthalaanilreddy> > which boils down to....
morthalaanilreddy> > SSL_get_peer_certificate ,  SSL_get_verify_result
morthalaanilreddy> >
morthalaanilreddy> > On Thu, May 3, 2018 at 12:06 AM, Anil kumar Reddy <
morthalaanilreddy>
morthalaanilreddy> > morthalaanilreddy@
morthalaanilreddy>
morthalaanilreddy> >> wrote:
morthalaanilreddy> >
morthalaanilreddy> >> Hi everyone,
morthalaanilreddy> >>
morthalaanilreddy> >> I am new to opennssl and now I am completely confused. Please help me out
morthalaanilreddy> >> to solve my issue.
morthalaanilreddy> >>
morthalaanilreddy> >> I have implemented a code to sign the given CSR certificate
morthalaanilreddy> >> (certReq.pem),
morthalaanilreddy> >> then generate openssl signed Certificate (SignedCertificate.pem) using
morthalaanilreddy> >> the
morthalaanilreddy> >> details of certReq,pem. The code is like self signing, but I have added
morthalaanilreddy> >> new
morthalaanilreddy> >> functions to enter additional issuer details. Now I have two private keys
morthalaanilreddy> >> one from CA, another from CSR, one CSR (certReq.pem) and Signed
morthalaanilreddy> >> Certificate
morthalaanilreddy> >> (SignedCertificate.pem). In SignedCertificate.pem, the subject details
morthalaanilreddy> >> and
morthalaanilreddy> >> the issuer details are different. There is no problem with codes.
morthalaanilreddy> >>
morthalaanilreddy> >> The issue is:
morthalaanilreddy> >> I am unable to find out the exact command lines or c/c++ program
morthalaanilreddy> >> functions
morthalaanilreddy> >> to prove the SignedCertificate.pem is signed or not. I have spent more
morthalaanilreddy> >> than
morthalaanilreddy> >> one day on researching, but I am end up with confusion. I do not have any
morthalaanilreddy> >> digital certificate chain.
morthalaanilreddy> >>
morthalaanilreddy> >>
morthalaanilreddy> >> Could anyone kindly provide any information regarding this.
morthalaanilreddy> >>
morthalaanilreddy> >> Thanks in advance,
morthalaanilreddy> >>
morthalaanilreddy> >> --
morthalaanilreddy> >> openssl-users mailing list
morthalaanilreddy> >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
morthalaanilreddy> >>
morthalaanilreddy> >>
morthalaanilreddy> >
morthalaanilreddy> > --
morthalaanilreddy> > openssl-users mailing list
morthalaanilreddy> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
morthalaanilreddy>
morthalaanilreddy>
morthalaanilreddy> d3x0r wrote
morthalaanilreddy> > https://github.com/d3x0r/sack.vfs/blob/master/src/tls_interface.cc#L1538
morthalaanilreddy> > this routine does cert validation but I don't thkn that's what you want
morthalaanilreddy> >
morthalaanilreddy> > this verified on a connection....
morthalaanilreddy> > https://github.com/d3x0r/SACK/blob/master/src/netlib/ssl_layer.c#L274
morthalaanilreddy> >
morthalaanilreddy> > which boils down to....
morthalaanilreddy> > SSL_get_peer_certificate ,  SSL_get_verify_result
morthalaanilreddy> >
morthalaanilreddy> > On Thu, May 3, 2018 at 12:06 AM, Anil kumar Reddy <
morthalaanilreddy>
morthalaanilreddy> > morthalaanilreddy@
morthalaanilreddy>
morthalaanilreddy> >> wrote:
morthalaanilreddy> >
morthalaanilreddy> >> Hi everyone,
morthalaanilreddy> >>
morthalaanilreddy> >> I am new to opennssl and now I am completely confused. Please help me out
morthalaanilreddy> >> to solve my issue.
morthalaanilreddy> >>
morthalaanilreddy> >> I have implemented a code to sign the given CSR certificate
morthalaanilreddy> >> (certReq.pem),
morthalaanilreddy> >> then generate openssl signed Certificate (SignedCertificate.pem) using
morthalaanilreddy> >> the
morthalaanilreddy> >> details of certReq,pem. The code is like self signing, but I have added
morthalaanilreddy> >> new
morthalaanilreddy> >> functions to enter additional issuer details. Now I have two private keys
morthalaanilreddy> >> one from CA, another from CSR, one CSR (certReq.pem) and Signed
morthalaanilreddy> >> Certificate
morthalaanilreddy> >> (SignedCertificate.pem). In SignedCertificate.pem, the subject details
morthalaanilreddy> >> and
morthalaanilreddy> >> the issuer details are different. There is no problem with codes.
morthalaanilreddy> >>
morthalaanilreddy> >> The issue is:
morthalaanilreddy> >> I am unable to find out the exact command lines or c/c++ program
morthalaanilreddy> >> functions
morthalaanilreddy> >> to prove the SignedCertificate.pem is signed or not. I have spent more
morthalaanilreddy> >> than
morthalaanilreddy> >> one day on researching, but I am end up with confusion. I do not have any
morthalaanilreddy> >> digital certificate chain.
morthalaanilreddy> >>
morthalaanilreddy> >>
morthalaanilreddy> >> Could anyone kindly provide any information regarding this.
morthalaanilreddy> >>
morthalaanilreddy> >> Thanks in advance,
morthalaanilreddy> >>
morthalaanilreddy> >> --
morthalaanilreddy> >> openssl-users mailing list
morthalaanilreddy> >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
morthalaanilreddy> >>
morthalaanilreddy> >>
morthalaanilreddy> >
morthalaanilreddy> > --
morthalaanilreddy> > openssl-users mailing list
morthalaanilreddy> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
morthalaanilreddy>
morthalaanilreddy>
morthalaanilreddy> d3x0r wrote
morthalaanilreddy> > https://github.com/d3x0r/sack.vfs/blob/master/src/tls_interface.cc#L1538
morthalaanilreddy> > this routine does cert validation but I don't thkn that's what you want
morthalaanilreddy> >
morthalaanilreddy> > this verified on a connection....
morthalaanilreddy> > https://github.com/d3x0r/SACK/blob/master/src/netlib/ssl_layer.c#L274
morthalaanilreddy> >
morthalaanilreddy> > which boils down to....
morthalaanilreddy> > SSL_get_peer_certificate ,  SSL_get_verify_result
morthalaanilreddy> >
morthalaanilreddy> > On Thu, May 3, 2018 at 12:06 AM, Anil kumar Reddy <
morthalaanilreddy>
morthalaanilreddy> > morthalaanilreddy@
morthalaanilreddy>
morthalaanilreddy> >> wrote:
morthalaanilreddy> >
morthalaanilreddy> >> Hi everyone,
morthalaanilreddy> >>
morthalaanilreddy> >> I am new to opennssl and now I am completely confused. Please help me out
morthalaanilreddy> >> to solve my issue.
morthalaanilreddy> >>
morthalaanilreddy> >> I have implemented a code to sign the given CSR certificate
morthalaanilreddy> >> (certReq.pem),
morthalaanilreddy> >> then generate openssl signed Certificate (SignedCertificate.pem) using
morthalaanilreddy> >> the
morthalaanilreddy> >> details of certReq,pem. The code is like self signing, but I have added
morthalaanilreddy> >> new
morthalaanilreddy> >> functions to enter additional issuer details. Now I have two private keys
morthalaanilreddy> >> one from CA, another from CSR, one CSR (certReq.pem) and Signed
morthalaanilreddy> >> Certificate
morthalaanilreddy> >> (SignedCertificate.pem). In SignedCertificate.pem, the subject details
morthalaanilreddy> >> and
morthalaanilreddy> >> the issuer details are different. There is no problem with codes.
morthalaanilreddy> >>
morthalaanilreddy> >> The issue is:
morthalaanilreddy> >> I am unable to find out the exact command lines or c/c++ program
morthalaanilreddy> >> functions
morthalaanilreddy> >> to prove the SignedCertificate.pem is signed or not. I have spent more
morthalaanilreddy> >> than
morthalaanilreddy> >> one day on researching, but I am end up with confusion. I do not have any
morthalaanilreddy> >> digital certificate chain.
morthalaanilreddy> >>
morthalaanilreddy> >>
morthalaanilreddy> >> Could anyone kindly provide any information regarding this.
morthalaanilreddy> >>
morthalaanilreddy> >> Thanks in advance,
morthalaanilreddy> >>
morthalaanilreddy> >> --
morthalaanilreddy> >> openssl-users mailing list
morthalaanilreddy> >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
morthalaanilreddy> >>
morthalaanilreddy> >>
morthalaanilreddy> >
morthalaanilreddy> > --
morthalaanilreddy> > openssl-users mailing list
morthalaanilreddy> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
morthalaanilreddy>
morthalaanilreddy>
morthalaanilreddy>
morthalaanilreddy>
morthalaanilreddy>
morthalaanilreddy> --
morthalaanilreddy> Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
morthalaanilreddy>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to prove a Certificate is Signed or not

morthalan
But In my case, I do not have any root certificate. I have only one signed
certificate (SignedCertificate.pem) and one certificate signing request
(certReq.pem) . So when I use it as below

openssl verify -CAfile SignedCertificate.pem SignedCertificate.pem

I am getting error  "error 20 at 0 depth lookup:unable to get local issuer
certificate".
I believe it is for verifying certificate chain trust. Correct me if I am
wrong. Is there anyway to manipulate it?


Richard Levitte - VMS Whacker-2 wrote
> openssl verify -CAfile your_ca_cert.pem SignedCertificate.pem
>
> Hope that helped
>
> Cheers,
> Richard
>
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users





--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to prove a Certificate is Signed or not

d3x0r
a root cert is the self signed cert.


On Thu, May 3, 2018 at 2:50 AM, morthalan <[hidden email]> wrote:
But In my case, I do not have any root certificate. I have only one signed
certificate (SignedCertificate.pem) and one certificate signing request
(certReq.pem) . So when I use it as below

openssl verify -CAfile SignedCertificate.pem SignedCertificate.pem

I am getting error  "error 20 at 0 depth lookup:unable to get local issuer
certificate".
I believe it is for verifying certificate chain trust. Correct me if I am
wrong. Is there anyway to manipulate it?


Richard Levitte - VMS Whacker-2 wrote
> openssl verify -CAfile your_ca_cert.pem SignedCertificate.pem
>
> Hope that helped
>
> Cheers,
> Richard
>
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users





--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to prove a Certificate is Signed or not

OpenSSL - User mailing list
In reply to this post by morthalan


On 5/3/18, 4:24 AM, "morthalan" <[hidden email]> wrote:

    No, technically not. I am just searching for a simple method just to check a
    certificate is signed by CA or not.
    Because. Something like signing check, I am not quite sure, I do not have
    proper knowledge on Openssl.
   

If you have a cert, and a list of CA's that you trust, look at the verify command.
 

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to prove a Certificate is Signed or not

Felipe Gasper-2
You could:

- Check subject and issuer for sameness.
- Verify the signature with the certificate’s own key. A positive verification indicates self-signed.

> On May 3, 2018, at 7:18 AM, Salz, Rich via openssl-users <[hidden email]> wrote:
>
>
>
> On 5/3/18, 4:24 AM, "morthalan" <[hidden email]> wrote:
>
>    No, technically not. I am just searching for a simple method just to check a
>    certificate is signed by CA or not.
>    Because. Something like signing check, I am not quite sure, I do not have
>    proper knowledge on Openssl.
>
>
> If you have a cert, and a list of CA's that you trust, look at the verify command.
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to prove a Certificate is Signed or not

morthalan
In reply to this post by d3x0r
Sorry for the insufficient explanation on what I did.

I have implemented one c++ code(csrReq.cpp) to generate certificate signing
request(certReq.pem) along with private key(csrPkey.pem). Another c++ code
(signcode.cpp)is to read the user data from certReq.pem and generate the
Signed Certificate(SignedCertificate.pem).

Here the public key will be included in certReq.pem. So signcode.cpp will
take the public from from certReq.pem then generate  SignedCertificate.pem
using it.

After the generation of SignedCertificate.pem. I would like to write
function to verify the SignedCertificate.pem, whether it is signed or not.

Is there any possibility to check the signature of SignedCertificate.pem.



d3x0r wrote
> a root cert is the self signed cert.
>
>
> On Thu, May 3, 2018 at 2:50 AM, morthalan &lt;

> morthalaanilreddy@

> &gt;
> wrote:
>
>> But In my case, I do not have any root certificate. I have only one
>> signed
>> certificate (SignedCertificate.pem) and one certificate signing request
>> (certReq.pem) . So when I use it as below
>>
>> openssl verify -CAfile SignedCertificate.pem SignedCertificate.pem
>>
>> I am getting error  "error 20 at 0 depth lookup:unable to get local
>> issuer
>> certificate".
>> I believe it is for verifying certificate chain trust. Correct me if I am
>> wrong. Is there anyway to manipulate it?
>>
>>
>> Richard Levitte - VMS Whacker-2 wrote
>> > openssl verify -CAfile your_ca_cert.pem SignedCertificate.pem
>> >
>> > Hope that helped
>> >
>> > Cheers,
>> > Richard
>> >
>> > openssl-users mailing list
>> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>>
>>
>>
>>
>> --
>> Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users





--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to prove a Certificate is Signed or not

OpenSSL - User mailing list
>    After the generation of SignedCertificate.pem. I would like to write
    function to verify the SignedCertificate.pem, whether it is signed or not.
 
That is still not an accurate description.  By definition, a certificate is *signed data.*  It appears as a bitstring in the X509 data structure.

Is this want you want to do?  You have a certificate, and a CA key or certificate.  You want to know if the CA's public key generated the signature that is in the certificate that you have.  Look at the X509_verify function.  You will need to take your CA cert (or key) and make a key object, but start with that first manpage and follow the references.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to prove a Certificate is Signed or not

morthalan
This post was updated on .
I got two Ideas. I can verify the certificate by comparing the issuer name

char *s = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
char *i = X509_NAME_oneline(X509_get_issuer_name(cert), NULL, 0);
int rc = strcmp(s, i);

verifying with public key

EVP_PKEY *caPubkey = X509_get_pubkey(signCert);
X509_REQ_verify(certreq, caPubkey);

thanks you all for the suggestions. Really helped.





--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to prove a Certificate is Signed or not

Michael Wojcik
In reply to this post by morthalan
> From: openssl-users [mailto:[hidden email]] On Behalf
> Of morthalan
> Sent: Thursday, May 03, 2018 05:51
> To: [hidden email]
> Subject: Re: [openssl-users] How to prove a Certificate is Signed or not
>
> But In my case, I do not have any root certificate. I have only one signed
> certificate (SignedCertificate.pem) and one certificate signing request
> (certReq.pem) .

To process the CSR and create the entity certificate (what you're calling the "signed certificate", which is redundant, since all certificates are signed), you have to use the CA private key.

The CA private key has a corresponding public key, which you would have generated alongside the private key.

Verifying the signature on the entity certificate requires that public key. The APIs that verify the signature receive the public key as part of the issuer certificate. You *must* have a CA certificate containing the public key that corresponds to the private key (you used to sign the entity certificate) in order to verify the signature on the entity certificate. It's not optional.

Certificate verification also examines other aspects of the certificate used by the issuer to sign the entity certificate, such as its validity dates. So that's another reason why you *must* have the issuer certificate.

But then you can't process a CSR without a CA certificate, because when you issue the entity certificate, it has to refer to the CA certificate used to issue it. So if you've generated an entity certificate, there's a corresponding issuing certificate somewhere.

I would strongly recommend you find an introduction to X.509 PKI somewhere online before proceeding. X.509 is hideously complicated and fraught with difficulties. Trying to code for it without the basic technical background will be an exercise in frustration and likely lead to errors that greatly weaken the security of your application.

--
Michael Wojcik
Distinguished Engineer, Micro Focus




--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to prove a Certificate is Signed or not

Viktor Dukhovni
In reply to this post by morthalan


> On May 3, 2018, at 3:06 AM, Anil kumar Reddy <[hidden email]> wrote:
>
> The issue is:
> I am unable to find out the exact command lines or c/c++ program functions to prove the SignedCertificate.pem is signed or not. I have spent more than one day on researching, but I am end up with confusion. I do not have any digital certificate chain.

To verify the signature on a single certificate using a known issuer
public key you call:

        X509_verify(X509 *cert, EVP_PKEY *pkey)

with return values <= 0 indicating failure.  To verify a certificate
chain against a set of trust anchors you call:

        X509_verify_cert(X509_STORE_CTX *ctx)

where "ctx" is populated with the certificate chain, trust anchors,
CRLs, verification parameters, including some types of subject names
to check...  This is what most applications use to check that something
is signed by a trusted certificate with the right identity and purpose.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users