Re: Given a certificate (PKC#7 format) how can you determine the root certificate file name - Openssl

This is a discussion on Re: Given a certificate (PKC#7 format) how can you determine the root certificate file name - Openssl ; If the files are stored locally in a directory, then you can specify to the CTX the hash directory ( X509_STORE_load_locations(store,hashdir,rootfile) ), but you need to name your certificate file(s) with the hash of the subject name of the certificate. ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: Given a certificate (PKC#7 format) how can you determine the root certificate file name

  1. Re: Given a certificate (PKC#7 format) how can you determine the root certificate file name

    If the files are stored locally in a directory, then you can specify to the CTX the hash directory ( X509_STORE_load_locations(store,hashdir,rootfile) ), but you need to name your certificate file(s) with the hash of the subject name of the certificate. Or you could implement your own method: for each file in directory, read it into X509 and compare issuer name, serial number and hash value, but this is exactly what openssl does with hashdir


    ----- Original Message ----
    From: Olivia Hudson
    To: openssl-users@openssl.org
    Sent: Thursday, June 19, 2008 8:21:15 PM
    Subject: Given a certificate (PKC#7 format) how can you determine the root certificate file name


    I'm writing code in C++ and to validate a certificate I need to verify it's chain back to the root certificate.
    The method that validates the certificate also needs the root certificate file name. How can
    I determine the root certificate file name for a given certificate? I know the directory where root certificates
    are stored but I need to determine which root certificate is associated with a given certificate.
    Any help would be much appreciated.

    thanks,
    Olivia




  2. Re: Given a certificate (PKC#7 format) how can you determine the root certificate file name

    On Thu, Jun 19, 2008 at 11:31:39PM -0700, Sendroiu Eugen wrote:

    > If the files are stored locally in a directory,
    > then you can specify to the CTX the hash directory (
    > X509_STORE_load_locations(store,hashdir,rootfile) ), but you need to
    > name your certificate file(s) with the hash of the subject name of the
    > certificate. Or you could implement your own method: for each file in
    > directory, read it into X509 and compare issuer name, serial number and
    > hash value, but this is exactly what openssl does with hashdir
    >


    This is done (somewhat non-optimally) by c_rehash(1). And the links are
    hash. where N>0 happens when two CAs have the same issuer DN hash.

    When I say "non-optimally", I mean that c_rehash(1) will first delete
    all the symlinks (even the ones it does not need to change) and then
    re-create them all. This means you cannot run c_rehash on a live
    system. The script can and should easily be changed to leave valid
    links intact.

    - Scan the current hash. links and CA certs, noting
    which are paired properly and which are not.

    - Delete all links that are orphaned or whose CA cert has
    changed.

    - Create new links for CA certs that don't have a valid link,
    using the lowest unused "N".

    --
    Viktor.
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


+ Reply to Thread