There is currently no automated protocol for doing this. There is currently an effort at PKIX for a "Trust Anchor Management Protocol", though, which would allow for tools to be made cross-platform.
Also, self-signed CAs are basically never checked for expiration. (The 'trust anchor' is technically the public key, not the identity information strongly bound to the public key in the certificate.) -Kyle H On Mon, Jan 26, 2009 at 9:28 PM, PS <mytechl...@gmail.com> wrote: > Can you please elaborate on how would the higher-layer security > infrastructure go about this? > To me, it just seems impossible to do this and the issue might only be > mitigated by spreading awareness by an out-of-band means but not eliminated > until ofcourse, the self-signed CA certificate expires. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org