In our case we only know the root cert but all other certs are given jumbled and target is to extract the leave cert (target cert) among the jumbled certs.
On 10.10.23 06:32, Brahmaji K wrote:
Thanks a lot Viktor and David for your answers.you are welcome - hopefully they helped.
Note that both answers assume that you already know which ist the first (i.e., target) cert in the chain - cert 4 in your example.
If it is the only end-entity cert in the list, it is straightforward to take that.
If this is not the case (maybe because your target cert is a CA cert or there are multiple EE certs),
in the worst case one would have try out which target cert results in the longest chain.
On Tue, Oct 10, 2023 at 1:32 AM Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> wrote:On Mon, Oct 09, 2023 at 09:45:35PM +0530, Brahmaji K wrote:
> If I got the certificate chain out of order [...], then is there a direct way (i.e., with[out?] any openssl API(s)), we can create the
> certificates chain in the correct order as - Cert 4 || Cert 3 || Cert 2 || Cert 1?
It seems, you're looking for a CLI feature, that would not require
writing code. That's a missing feature of the openssl-verify(1)
command.
Using cert verification (regardless if at API or CLI level) has the drawback that it is less efficient than just building the chain.
It has a `-show_certs` option that prints just the
distinguished names of the certificates in constructed chain,
but has no `-print_certs` function that would instead just
output the constructed chain.
This would make a good entry-level contribution to the OpenSSL project.
If anyone tackles this, I'd suggest not providing a -print_certs option but an -out_chain <certfile> option.
David
