exclude root certificate from certificate chain

2026-04-25 09:48:29 +02:00 · 2017-01-30 03:22:14 +01:00
parent 03f0dc18b9
commit ee65261ea8
2 changed files with 19 additions and 6 deletions
--- a/22
+++ b/22
@@ -621,12 +621,20 @@ sign_csr() {
  echo " + Done!"
 }

+# grep issuer cert uri from certificate
+get_issuer_cert_uri() {
+  certificate="${1}"
+  openssl x509 -in "${certificate}" -noout -text | (grep 'CA Issuers - URI:' | cut -d':' -f2-) || true
+}
+
+# walk certificate chain, retrieving all intermediate certificates
 walk_chain() {
+  local certificate
  certificate="${1}"

-  # grep uri from certificate
  local issuer_cert_uri
-  issuer_cert_uri="$(openssl x509 -in "${certificate}" -noout -text | (grep 'CA Issuers - URI:' | cut -d':' -f2-) || true)"
+  issuer_cert_uri="${2:-}"
+  if [[ -z "${issuer_cert_uri}" ]]; then issuer_cert_uri="$(get_issuer_cert_uri "${certificate}")"; fi
  if [[ -n "${issuer_cert_uri}" ]]; then
    # create temporary files
    local tmpcert
@@ -647,9 +655,13 @@ walk_chain() {
    else _exiterr "Unknown certificate type in chain"
    fi

-    printf "\n%s\n" "${issuer_cert_uri}"
-    cat "${tmpcert}"
-    walk_chain "${tmpcert}"
+    local next_issuer_cert_uri
+    next_issuer_cert_uri="$(get_issuer_cert_uri "${tmpcert}")"
+    if [[ -n "${next_issuer_cert_uri}" ]]; then
+      printf "\n%s\n" "${issuer_cert_uri}"
+      cat "${tmpcert}"
+      walk_chain "${tmpcert}" "${next_issuer_cert_uri}"
+    fi
    rm -f "${tmpcert}" "${tmpcert_raw}"
  fi
 }
--- a/test.sh
+++ b/test.sh
@@ -214,7 +214,8 @@ _CHECK_LOG "${TMP2_URL}"
 _SUBTEST "Verifying file with full chain..."
 openssl x509 -in "certs/${TMP_URL}/fullchain.pem" -noout -text > /dev/null 2>> errorlog && _PASS || _FAIL
 _SUBTEST "Verifying certificate against CA certificate..."
-(openssl verify -verbose -CAfile "certs/${TMP_URL}/fullchain.pem" -purpose sslserver "certs/${TMP_URL}/fullchain.pem" 2>&1 || true) | (grep -v ': OK$' || true) >> errorlog 2>> errorlog && _PASS || _FAIL
+curl -s https://testca.kurz.pw/acme/issuer-cert | openssl x509 -inform DER -outform PEM > ca.pem
+(openssl verify -verbose -CAfile "ca.pem" -purpose sslserver "certs/${TMP_URL}/fullchain.pem" 2>&1 || true) | (grep -v ': OK$' || true) >> errorlog 2>> errorlog && _PASS || _FAIL
 _CHECK_ERRORLOG

 # Revoke certificate using certificate key