Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Obtaining the certificate chain

I am working with X509 certificates in Java. Given a certificate is it possible to find all other certificates in the signing hierarchy until you reach the root certificate?

I have a certificate file (with a .cer extension) and I want to extract the parent signing certificate. I want to keep finding the parent of that certificate untill I get the final root certificate, which is self signed.

I have checked the X509Certificate certificate APIs and relevant APIs in java.security.cert but could not find anything useful.

like image 639
user496934 Avatar asked Jun 19 '12 08:06

user496934


People also ask

How do you find the certificate chain?

You can check for your SSL certificate chain using your browser. For my case, I used Google Chrome. With Chrome, click the padlock icon on the address bar, click certificate, a window will pop-up.

What is the certificate chain of trust?

The chain of trust of a certificate chain is an ordered list of certificates, containing an end-user subscriber certificate and intermediate certificates (that represents the intermediate CA), that enables the receiver to verify that the sender and all intermediate certificates are trustworthy.


1 Answers

That is not hard - assuming you've somehow/out of band got all the intermediate certificates and the root cert in one or more keychains.

Have a look at

http://codeautomate.org/blog/2012/02/certificate-validation-using-java/

for a code snipped which does just that. The key bit is in validateKeyChain() and basically consists of

   cert = cert-to-validate
   while(not self signed) {
       extract issuer from cert
       scan keychain(s) to find cert with a subject equal to the issuer
       if none found - error
       check if the signature is correct.
       cert = issuers_cert
   }
   if not at the top/root - error

As to how you get the intermediate/root certificates - that is a different issue. Note that this code is a little bit naive - and does not quite understand cross-signing. The java pkix calls though though - BouncyCastle has an example.

You can generally build the root certs into a key chain; but the intermediate certificates often need to be 'gathered' or discovered more dynamically. This generally requires querying the SSL stack during TLS or similar.

like image 136
Dirk-Willem van Gulik Avatar answered Sep 20 '22 10:09

Dirk-Willem van Gulik