When manually building a certificate you often do something like this, appending an intermediate certificate to your own (and sometimes the root CA):
# Concatenate intermediate certificate and root certificate
cat ${CERTNAME}.single.pem DigiCertSHA2ExtendedValidationServerCA.pem DigiCertHighAssuranceEVRootCA.pem > ${CERTNAME}.pem
I recently appended an intermediate certificate to a certificate that was issued by another CA, and of course, Chrome warned me that it could not validate the certificate. I wonder how I can know this ahead of time, using for instance openssl
or keytool
to ensure that I only concatenate certificates to the chain that make sense.
When making a "human readable dump" of an intermediate Buypass certificate I get this:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1b:78:1c:6d:5e:34:ce:1f:77
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = NO, O = Buypass AS-983163327, CN = Buypass Class 2 Root CA
Validity
Not Before: Mar 25 12:17:10 2019 GMT
Not After : Oct 26 09:16:17 2030 GMT
Subject: C = NO, O = Buypass AS-983163327, CN = Buypass Class 2 CA 2
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:9c:ab:67:c6:96:4b:0d:0f:91:d2:ec:ca:cc:33:
2b:f3:72:fc:0e:7f:b9:4e:84:a9:0f:7d:73:aa:26:
...
(using openssl x509 -in my-cert.pem -noout -text
)
The Subject
field in this intermediate certificate is the same as the Issuer
field in my own certificate, so I guess I could extract this and grep it, but although that will probably be sufficient in 99% of the cases, it does not strike me as correct :) Is there some kind of signature I can use to verify "ancestry" between the two?