On Wed, Oct 24, 2012, Jordan Brown wrote: > If I have > RootCA -> IntermediateCA -> ServerCert > current OpenSSL will only support trusting RootCA, not trusting > IntermediateCA or ServerCert. > > I see in > http://old.nabble.com/Verify-intermediate-certificate-td33129488.html > that there's an experimental new flag X509_V_FLAG_TRUSTED_FIRST that > will help. > > However, it looks like it will only help with IntermediateCA; it doesn't > look like it will help if all I want to trust is the leaf certificate > ServerCert. (It appears to act by checking to see if a cert's issuer is > in the trust store, and the leaf cert isn't an issuer.) > > It seems to me that one of the checks should be, like the > self-signed-cert check, whether the cert in question is already in the > trust store. >
There is an experimental flag X509_V_FLAG_PARTIAL_CHAIN which may do what you want. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
