I am trying to build a chain (or just get it from somewhere) from a certificate using OpenSSL, preferibly using the command line interface.

I have found some example in internet, but I am stuck at the question "Where do I get the CA issuer from the certificate?"

For example check this website openssl command cheatsheet, you will find the command

openssl s_client -showcerts -host example.com -port 443

to get the chain. You can try it using www.google.com instead of example.com. The output should give you the chain. Other websites use the same command, sooner or later...

So, I cannot get the chain directly from the certificate, but I should ask somewhere for the chain.

Now my problem is: where do I get the hostname, where I can send my request for the chain?

I had a look to two certificates.

1. stackexchange.com
2. google.com

Using OpenSSL, I can ask the Issuer using the command

openssl x509 -in certFile -noout -issuer

and I get respectively

1. issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
2. issuer=C = US, O = Google Trust Services, CN = GTS CA 1O1

Honestly, I do not know what to do with these results....

Then, investigating with the command

openssl x509 -text -in certFile

I have found the AIA extensions:

1. CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
2. CA Issuers - URI:http://pki.goog/gsr2/GTS1O1.crt

Ok in the first example, I can finally use the command

openssl s_client -showcerts -host http://cert.int-x3.letsencrypt.org/ -port 443

but with google, I do not know how to download the chain using openssl....I could use wget maybe, but I don't have the same format that I get from stackexchange...

So, finally, my questions:

• How should do I work with these differences?
• Is there a better way to get the chain from a certificate, without asking for the CA Issuer?
• The CA Issuer is an extension, from AIA, and I think it is not mandatory, can I rely on it?
• How can I get the CA Issuer using OpenSSL, without parsing the output myself? (something like openssl x509 -caIssuer -in certFile)

PS: What I try to achieve at the very end, is to validate a certificate, going through the complete chain, and checking all the OCSP or CRL for each certificate in the chain...If you have working example in C++, or just using OpenSSL CLI, I would be really grateful :)

EDIT:

What I am doing right now is creating the chain by myself.

Using the AIA extensions, I get the CA Issuer URI, download the CA Issuer certificate (convert to PEM if needed), and so on till I do not find a CA Issuer anymore. Then, probably it is a root CA.

After that, I manually collect all the pem and create the chain.