EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Certificate chain validation

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
Posted: 06/26/2007 11:03:13
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 165


I need to validate a certificate chain. The actual operation options are numerous (set self-signed certificate or real PKI) but there is one thing that isn't clear for me:

Assuming the certificate I need to validate has been signed by an intermediary CA and by a root CA. Assuming that I have all these certificates in a certificate store and assuming I have the root CA in a different TElX509Certificate instance in addition to the store. How would I go about validating that chain correctly ?

Can I use ValidateWithCA in this case ? Do I need to loop through all the chain, validating each certificate with it's issuer ? Do I need to use the Store's Validate method ?

Thank you
Posted: 06/27/2007 01:46:51
by Ken Ivanov (EldoS Corp.)

The idea is to iterate from end-entity certificate up to the Root CA validating each certificate with the parent one (except the Root CA). Call TElCustomCertStorage.GetIssuerCertificate() method to get certificate issuer's index in a storage, then use TElX509Certificate.ValidateWithCA() method to perform validation. Root CA (self-signed) certificate should be validated in a different way, via TElX509Certificate.Validate() method.
Posted: 06/27/2007 01:56:36
by Eugene Mayevski (EldoS Corp.)

If all certificates are in the same storage, you can do the following:

1) call ElCustomCertStorage.BuildChain method to retrieve the complete chain
2) call TElX509CertificateChain.Validate method to validate the chain

Sincerely yours
Eugene Mayevski
Posted: 06/27/2007 02:21:49
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 165

Thank you, that's exactly the answer I was looking for.

Just one additional question: is there an easy way to know exactly to which chain a specific certificates belong to ?
Posted: 06/27/2007 02:31:41
by Eugene Mayevski (EldoS Corp.)

Chain is not something physical. It's just a relation between certificates. This relation can be determined by using GetIssuerCertificate() method.

Sincerely yours
Eugene Mayevski
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.



Topic viewed 2318 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!