====== OpenSSL - find Root-Certificate ======

To find the issuer of a certificate, you should use the "Issuer DN" and match it with the "Subject DN" of the certificates in your CA store. This should reduce significantly the number of signature verification.

It is possible to have different CA certificates with the same "Subject DN" (with different public keys, validity dates, etc.), so your algorithm should be prepared to handle that. The "Subject Key Identifier" and "Authority Key Identifier" can also help to reduce the number of candidates.

Finding the issuing authority is only a small part of the "right approach" to validating certificates. I would advise you to look at part 6 of [[http://www.ietf.org/rfc/rfc5280.txt|rfc5280]] "Certification Path Validation". Some parts are most probably overkill (i.e. most things having to do with policies).

https://stackoverflow.com/questions/1567106/how-to-determine-the-root-of-a-certificate

===== Verifying Issuer =====

How to use OpenSSL on the command line to verify that a certificate was issued by a specific CA, given that CA's certificate

<code>
$ openssl verify -verbose -CAfile cacert.pem  server.crt
server.crt: OK
</code>

If you get any other message, the certificate was not issued by that CA.

https://kb.wisc.edu/iam/page.php?id=4543#:~:text=Verifying%20that%20a%20Certificate%20is%20issued%20by%20a,the%20certificate%20was%20not%20issued%20by%20that%20CA.


{{tag>[Certificate Root-CA Issuer OpenSSL]}}