When invoking the "pki --verify" command, the user has to supply all of the CA certs along the trust chain for the verification to take place appropriately. This could be cumbersome if the trust chain is long (>1).  If there are CRLs, they also have to be supplied as well. If the certificate store is known (default location for example such as /etc/ipsec.d/), shouldn't this all be done automatically? i.e, once you know the certificate to be verified,  you can lookup the issuers all the way up to the root CA with their associated CRLs. Is there any reason why it doesn't work that way, other than nobody gotten around to doing it?


Reply via email to