Way to find out missing root-CA

Gateway
1

Hello

is there a easy way to find out which root-CA is missing if a user
certificate is stated as invalid because of missing root?

Many Thanks

Andreas

2

is there a easy way to find out which root-CA is missing if a user
certificate is stated as invalid because of missing root?

The way to do it currently is to copy the issuer field of the
certificate (open the certificate info by clicking the cert) then search
for the issuer field in the certificate store by clicking the filter,
select "Filter by: Subject" and paste the issuer.

You should normally get at max one result which should normally be the
issuer.

Perhaps I might add a path builder result page which shows the possible
cert path.

Kind regards,

Martijn

···

--
Djigzo open source email encryption

3

Zitat von Martijn Brinkers <martijn(a)djigzo.com>:

is there a easy way to find out which root-CA is missing if a user
certificate is stated as invalid because of missing root?

The way to do it currently is to copy the issuer field of the
certificate (open the certificate info by clicking the cert) then search
for the issuer field in the certificate store by clicking the filter,
select "Filter by: Subject" and paste the issuer.

You should normally get at max one result which should normally be the
issuer.

Perhaps I might add a path builder result page which shows the possible
cert path.

This would require the root CA already in the store?
I was looking for a way to find out where to look for a download for
example if a certificate arrives with no matching root CA until now.
Is there some URL included in the cert data which contain a path to
the issuer CAs.

Regards

Andreas

4

This would require the root CA already in the store?

Yes

I was looking for a way to find out where to look for a download for
example if a certificate arrives with no matching root CA until now.
Is there some URL included in the cert data which contain a path to
the issuer CAs.

Unfortunately afaik there is not standard way to provide a URL to the
issuer. With the well known CAs in most cases it's easy to find out but
with company generated CAs it's not always clear where to get the CA
from. Djigzo will always include to root certificate to make sure that
the receiving end always gets the root as well (not that this helps in
your case because the sender was probably not using Djigzo).

Kind regards,

Martijn

···

--
Djigzo open source email encryption