You want to do certificate validation, but you need the correct certificates from the certification authorities you intend to support.
The certificates that you need can be obtained from the authority themselves, but unfortunately, many CAs do not make them easy to get. OpenSSL includes several of the more common root CA certificates, but it is not a complete collection. Popular web browsers such as Internet Explorer for Windows also allow you to export the certificates they contain.
A much more in-depth survey of all the common root certificates (particularly the ones found in Microsoft’s Internet Explorer) is available in the Root Report , available for sale from the PKI Laboratory (http://www.pkiclue.com).
You should either obtain certificates directly from the CA over a trusted medium or check the fingerprints of certificates you find on the net or in your browser against fingerprints published in a trusted source. You can do this by calling the CA, or you can compare against the fingerprints published in this book.
Table 10-1 lists information about the root certificates for several prominent CAs. The information was collected from Internet Explorer for Windows, but it contains only those CAs that also publish CRLs. You can download these certificates (in PEM format) from the book’s web site, but be sure to check the fingerprint of the certificate against the fingerprint listed in this book. To check the fingerprint ...