Thanks a lot Viktor and David for your answers.
you are welcome - hopefully they helped.
Note that both answers assume that you already know which ist the
first (i.e., target) cert in the chain - cert 4 in your example.
If it is the only end-entity cert in the list, it is
straightforward to take that.
If this is not the case (maybe because your target cert is a CA
cert or there are multiple EE certs),
in the worst case one would have try out which target cert results
in the longest chain.
On Tue, Oct 10, 2023 at 1:32 AM Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> wrote:On Mon, Oct 09, 2023 at 09:45:35PM +0530, Brahmaji K wrote:
> If I got the certificate chain out of order [...], then is there a direct way (i.e., with[out?] any openssl API(s)), we can create the
> certificates chain in the correct order as - Cert 4 || Cert 3 || Cert 2 || Cert 1?
It seems, you're looking for a CLI feature, that would not require
writing code. That's a missing feature of the openssl-verify(1)
command.
Using cert verification (regardless if at API or CLI level) has
the drawback that it is less efficient than just building the
chain.
It has a `-show_certs` option that prints just the
distinguished names of the certificates in constructed chain,
but has no `-print_certs` function that would instead just
output the constructed chain.
This would make a good entry-level contribution to the OpenSSL project.
If anyone tackles this, I'd suggest not providing a -print_certs option but an -out_chain <certfile> option.
David
