On Tue, Jan 13, 2004, jiang lei wrote: > Hi all, > > My question is mainly about X509 stores and certificate lookups. > > I was developing an HTTP client on Windows2000 using OpenSSL. > To use windows certificate stores in my program, I used the Windows Crypto > API to enumerate through all root CAs and trusted CAs, converting them to > X509 format, and add them to an X509 store. Everything worked fine until the > beginning of this year. > > Our certificate expired on the new year, so we renewd it. Supposed it should > be pointing to the right issuer automatically but it's not. OpenSSL is > always complaining that "Class 3 Public Primary Certification Authority" > expired. There are 2 certificates with exactly the same DName in windows > cert store. One expired on Jan. 8th, 2004 and the other expires on Feb. 8th, > 2028. I took a stack trace and found that X509_STORE_CTX_get1_issuer() was > always stopping at the first CA and reporting a match. > > Moreover, when my cert verify callback function was called, the cert chain > had already been build and current cert had already been checked. The only > thing I can do is to record the errors and answer "Yes" or "No"(I always > answer yes to continue with verification and collect error codes). So it > appears to me as if there is no way to override it with a lookup-and-verify > process. > > However Windows will not stick on the first CA, it will use the 2nd CA > automatically. > > Can anybody tell me if it's right to have several CAs with the same name in > a cert store? Is there any solution to this problem? >
Can't you delete the expired certificate from CryptoAPI or ensure that you don't add expired CAs to OpenSSLs store? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
