Cryptography Tutorials - Herong's Tutorial Notes
Dr. Herong Yang, Version 4.00

This site Web Google

OpenSSL - Certification Path and Validation

Part:   1  2 

This chapter describes:

  • What Is a Certification Path?
  • Certification Path Validation
  • Certification Path Testing with OpenSSL

What Is a Certification Path?

Certification Path: Also called Certificate Chain. An ordered list of certificates where the subject entity of one certificate is identical to the issuing entity of the next certificate.

A certification path can also be defined as an ordered list of certificates where the issuing entity of one certificate can be identified as the subject entity of the previous certificate. But the first certificate has to be a special one, because there is no previous certificate to identify the issuing entity. The first certificate must be a self-signed certificate, where the issuing entity is the same as the subject entity.

For example, the following diagram shows you a certification path: 

Certificate 1
   Issuer: Herong Yang
   Subject: Herong Yang

Certificate 2
   Issuer: Herong Yang
   Subject: John Smith

Certificate 3
   Issuer: John Smith
   Subject: Bill White

Certificate 4
   Issuer: Bill White
   Subject: Tom Bush

Certification Path Validation

A certification path needs to be validated. Here are the validation rules:

  • The first certificate must be self-signed. Its issuer must be recognized as a certificate authority (CA).
  • The issuer of any certificate, except the first one, must be "identical" to the subject of the previous certificate.
  • "identical" means that issuer's digital signature can verified by the subject's public key in the previous certificate.

OpenSSL offers a nice tool, the "verify" command, to validate a certification path. Here is the syntax of the "verify" command: 

verify -CAfile first.crt -untrusted all_middle.crt last.crt
  • "first.crt" is the first certificate of the path. It should be self-signed certificate.
  • "last.crt" is the last certificate of the path.
  • "all_middle.crt" is a collection of all middle certificates. If certificates are store in PEM format, you can join them into a collection in any text editor.

Certification Path Testing with OpenSSL

Here is a testing scenario I followed to generate some certificates with different issuers and subjects. See previous notes if you have trouble generating keys and signing certificates.

1. Generating a self-signed certificate for Herong, herong.crt: 

>echo Generating keys for Herong
>openssl genrsa -des3 -out herong_rsa.key
...

>echo Generating a self-signed certificate for Herong
>openssl req -new -key herong_rsa.key -x509 -out herong.crt 
   -config openssl.cnf
...

(Continued on next part...)

Part:   1  2 

Dr. Herong Yang, updated in 2007
Cryptography Tutorials - Herong's Tutorial Notes - OpenSSL - Certification Path and Validation