> X509_verify_cert will construct the cert chain upto the ROOT CA and then
> validates the chain and finally verify the self-certificate. What I
> understand is that this function expects the ROOT CA to be
> self-signed and
> it MUST be present in the trusted list.
Right.
> 1. Is it MUST that the Root CA be self-signed.
What else would sign the root CA? If something else signed it, it
wouldn't
be a root CA.
> The reason is that the
> trust anchor up to which the application MAY verify need not be the ROOT
> CA.
That is the definition of a root CA. It is the one that you trust.
> Is there any standard that indicates that the chain MUST be verified
> up to the ROOT CA. Is there any way where I can tell the function to
> return success even if the chain is not complete(upto ROOT CA).
You can replace the verify function with your own and declare a success
under whatever conditions you want. If you want a quick, ugly way to make
intermediate certificates act like root ones, just create your own temporary
root and self-signed certificate, add that self-signed certificate to your
list of trusted roots. Then, for any intermediate certificate you want to
trust, just generate your own certificate signed with your temporary root,
and add it to the list of certificates.
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
