Verify Ssl/x.509 Certificate Is Signed By Another Certificate

Question How can I verify that an X.509 certificate is signed by another certificate using PyOpenSSL or Twisted? I want a client to verify that the received server certificate is t

Solution 1:

You should be able to do it with something like written here: http://www.yothenberg.com/validate-x509-certificate-in-python/ which is basically:

1. load your certificates in PyOpenSSL with load_certificate()
2. create a X509Store() object
3. use add_cert() to add your intermediate certificate in the store
4. create a X509StoreContext() object, initializing it with both your store object and your end certificate
5. call verify_certificate() on your store context object

In practice, I was unable to make that part, and I think it is for the reasons explained here: https://mail.python.org/pipermail/cryptography-dev/2016-August/000676.html

In short, even in 2016, there still does not seem to be a correct wait to check certificates in PyOpenSSL, which is very sad. Note that the consensus seem to be that if you operate inside a TLS connection, the things are better checked by the connection routine instead of offline through check_certificate()