Skip to content

X509_check_issued

NAME

X509_check_issued, X509_check_akid - helper functions to check whether one certificate is a potential issuer of another certificate

SYNOPSIS

#include <openssl/x509v3.h>

int X509_check_issued(const X509 *issuer, const X509 *subject);
int X509_check_akid(const X509 *issuer, const AUTHORITY_KEYID *akid);

DESCRIPTION

X509_check_issued() checks if certificate subject was apparently issued using (CA) certificate issuer. It checks if the issuer field of subject equals the subject field of issuer. Moreover, it compares using X509_check_akid() all sub-fields of the authorityKeyIdentifier extension of subject, as far as present, with the respective subjectKeyIdentifier, serial number, and issuer fields of issuer, as far as present. It also checks if the subject signature algorithm matches the issuer public key algorithm and if any keyUsage field given in issuer allows certificate signing. It does not actually check the certificate signature. An error is returned if the issuer or the subject are incomplete certificates.

X509_check_akid() is a more low-level function. It assumes that various internal fields of issuer have already been filled in, for instance by calling X509_check_purpose(3) with its id parameter being -1. It checks whether the fields of the subject certificate's authority key identifier akid, match the corresponding fields of the issuer certificate. In more detail: It returns X509_V_OK if akid is NULL (because this means no restriction) or all the following conditions are met:

  • if akid has the keyIdentifier field, its value matches the subjectKeyIdentifier (SKID) extension of issuer if present,
  • if akid has the authorityCertSerialNumber field, its value equals the serial number of the issuer certificate, and
  • if akid has the authorityCertIssuer field and its GeneralNames include at least one directoryName, the first such name equals the issuer field of the issuer certificate.

RETURN VALUES

X509_check_issued() and X509_check_akid() return X509_V_OK if all checks are successful or some X509_V_ERR* constant indicating why the issuer does not match.

SEE ALSO

X509_verify_cert(3), X509_verify(3), X509_check_ca(3), openssl-verify(1), X509_self_signed(3), X509_check_purpose(3)

HISTORY

X509_check_issued() has had its arguments altered to be const in OpenSSL 4.0.

Copyright 2015-2026 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.