SecurityTests/clxutils/certChain/README

   1 This program, certChain, demonstrates how to use the SecTrust object to obtain
   2 a constructed, ordered, verified certificate chain given a single subject cert.
   3 It's a command-line program, with one argument - the filename of the subject cert.
   4 The contents of all certs in the resulting cert chain will be displayed, along
   5 with possible errors detected while attempting to create the cert chain.
   6
   7 Intermediate certs can be in any of the current user's keychains. They do not
   8 have to be in the default or login keychain. The chain must verify back to one
   9 of the system-wide trusted roots in /System/Library/Keychains/X509Anchors.
  10
  11 To build the program just cd to its directory and type 'make'.
  12
  13 Included in the directory are several certs illustrating the operation of
  14 certChain.
  15
  16 If you run
  17
  18 % ./certChain amazon_v3.100.cer
  19
  20 ...you will get an ordered cert chain of length 2 - one for the subject cert, and one for the root (which came from the system-wide X509Anchors).
  21
  22 Now try this one:
  23
  24 % ./certChain keybank_v3.100.cer
  25
  26 You'll get cert chain of length 1, with the error message
  27
  28 ***Can not verify to a root cert
  29
  30 Now add the intermediate cert keybank_v3.101.cer to one of your keychains (using Keychain Access.app or /usr/bin/certtool). Try evaluating the cert again
  31
  32 % ./certChain keybank_v3.100.cer
  33
  34 You now get a fully verified cert chain with three certs in it:
  35
  36 -- the subject cert, keybank_v3.100.cer, which you passed as a cmd line argument.
  37 -- the intermediate cert, keybank_v3.101.cer, which was obtained from one
  38    of your keychains.
  39 -- the root cert, which came from the system-wide X509Anchors.