On Fri, Jun 13, 2003, Wu Junwei wrote: > Hi,all > when I use openssl ocsp -issuer xxx -cert XXXX -url xxx -CAfile > xxx... to get the ocsp resposne, and verify it. > Do I need to setup up the whole chain from the root CA to the entry CA in > the CAfile or CApath? > > I mean , when I set the trusted certificate(s) in the X509_STORE, do I need > to insert the root CA or upper level CA of the trusted certificate into the > STORE? > Can I just input the trusted certificate into the STORE ( this trusted > certificate is not root CA )? > In the default case you need any certificate in the responder chain that is not part of the response including the root.
This however can be customised by the various flags depending on whatever trust model is appropriate to the responder in question. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
