On Thu, Jun 03, 2010, jeff wrote: > I will try to include complete attachments with examples. > > In the mean time I had to say that I was also told (aside from the one > of the replies on this thread) that the enforcement of the constraints > would be at the time of verification. > Therefore I took the following steps to "verify" the produced > certificates. Neither one actually complained at all about the > compliance with the constraint. > > 1. Using "openssl verify" > > openssl verify -CAfile trusted.pem -policy_check -x509_strict > badcert.pem > "trusted.pem" is a concat of my root CA and the sub-CA certs. > > Results: > badcert.pem: OK >
Try this instead: openssl verify -CAfile root.pem -untrusted cas.pem badcert.pem Where "root.pem" contains the root CA only and "cas.pem" is a concatenation of any intermediate CAs. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org