I am trying to build a chain (or just get it from somewhere) from a certificate using OpenSSL, preferibly using the command line interface.
I have found some example in internet, but I am stuck at the question "Where do I get the CA issuer from the certificate?"
For example check this website openssl command cheatsheet, you will find the command
openssl s_client -showcerts -host example.com -port 443
to get the chain. You can try it using www.google.com
instead of example.com
.
The output should give you the chain. Other websites use the same command, sooner or later...
So, I cannot get the chain directly from the certificate, but I should ask somewhere for the chain.
Now my problem is: where do I get the hostname, where I can send my request for the chain?
I had a look to two certificates.
Using OpenSSL
, I can ask the Issuer using the command
openssl x509 -in certFile -noout -issuer
and I get respectively
Honestly, I do not know what to do with these results....
Then, investigating with the command
openssl x509 -text -in certFile
I have found the AIA extensions:
Ok in the first example, I can finally use the command
openssl s_client -showcerts -host http://cert.int-x3.letsencrypt.org/ -port 443
but with google, I do not know how to download the chain using openssl
....I could use wget
maybe, but I don't have the same format that I get from stackexchange...
So, finally, my questions:
OpenSSL
, without parsing the output myself? (something like openssl x509 -caIssuer -in certFile
)PS: What I try to achieve at the very end, is to validate a certificate, going through the complete chain, and checking all the OCSP or CRL for each certificate in the chain...If you have working example in C++, or just using OpenSSL CLI, I would be really grateful :)
EDIT:
What I am doing right now is creating the chain by myself.
Using the AIA extensions, I get the CA Issuer URI, download the CA Issuer certificate (convert to PEM if needed), and so on till I do not find a CA Issuer anymore. Then, probably it is a root CA.
After that, I manually collect all the pem and create the chain.
It seems a lot of example in internet have in mind the SSL certificate. In SSL certificate, you can just connect to the website and download the complete chain. I think it is in the SSL protocol itself that the server should give you the complete chain.
I was doing it for SMIME certificates, that is why I was confused, because I can not use the same method they use for SSL certificates.
After speaking with my collegues and also comparing what I was doing with some similar programs found in internet, it seems the AIA extension is the correct way to do it. Maybe it is not mandatory in the X509 standard, but it seems widely used (I have never seen a SMIME certificate without the AIA extension).
Then, I create the chain manually, go back using the AIA extension till I find a certificate without such extension.
At this point, that should be a root certificate and I will try to just validate it, using the installed certificates in the machine.
(Of course, do not forget to check the revocation status through CRL or OCSP)
So far, everything is working well :)