EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Certificate chain validation

Posted: 06/26/2007 11:03:13
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 174


I need to validate a certificate chain. The actual operation options are numerous (set self-signed certificate or real PKI) but there is one thing that isn't clear for me:

Assuming the certificate I need to validate has been signed by an intermediary CA and by a root CA. Assuming that I have all these certificates in a certificate store and assuming I have the root CA in a different TElX509Certificate instance in addition to the store. How would I go about validating that chain correctly ?

Can I use ValidateWithCA in this case ? Do I need to loop through all the chain, validating each certificate with it's issuer ? Do I need to use the Store's Validate method ?

Thank you
Posted: 06/27/2007 01:46:51
by Ken Ivanov (Team)

The idea is to iterate from end-entity certificate up to the Root CA validating each certificate with the parent one (except the Root CA). Call TElCustomCertStorage.GetIssuerCertificate() method to get certificate issuer's index in a storage, then use TElX509Certificate.ValidateWithCA() method to perform validation. Root CA (self-signed) certificate should be validated in a different way, via TElX509Certificate.Validate() method.
Posted: 06/27/2007 01:56:36
by Eugene Mayevski (Team)

If all certificates are in the same storage, you can do the following:

1) call ElCustomCertStorage.BuildChain method to retrieve the complete chain
2) call TElX509CertificateChain.Validate method to validate the chain

Sincerely yours
Eugene Mayevski
Posted: 06/27/2007 02:21:49
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 174

Thank you, that's exactly the answer I was looking for.

Just one additional question: is there an easy way to know exactly to which chain a specific certificates belong to ?
Posted: 06/27/2007 02:31:41
by Eugene Mayevski (Team)

Chain is not something physical. It's just a relation between certificates. This relation can be determined by using GetIssuerCertificate() method.

Sincerely yours
Eugene Mayevski



Topic viewed 2628 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!