Discuss this help topic in SecureBlackbox Forum

Build certificate chains from certificate storage

Certificate chain is a sequence of certificates which starts from an end-entity certificate, followed by the certificate which was used to issue the end-entity certificate, followed by the next issuer certificate, and so on, until the root certificate is reached.

TElCustomCertStorage and its descendants (memory, win32, PKCS#11 and others) are capable of building chains from certificates contained in the storage. The created chain is returned as a TElX509CertificateChain object.

Chain building is pretty straightforward. You pick the certificate and you call the BuildChain() method of the storage:


TElX509Certificate cert = storage.get_Certificates(0);

TElX509CertificateChain chain = storage.BuildChain(cert, true);

The component will try to build as long chain as possible (subject to availability of the corresponding certificates in the storage, of course). In any case, the resulting chain will contain at least one certificate (the one passed to the BuildChain() method).

Note, that some certificate chains are not complete and incude only the end-entity certificate and its issuer certificate. This may happen when the rest of the chains is supposed to be known to the recipient. For example, if Thawte certificates are included into Windows certificate storage by default, there's no need to include them to every certificate chain where these certificates are used.

How To articles about certificate storages

Discuss this help topic in SecureBlackbox Forum