Hi Jafar, > I did write a script that does that but I thought it is very inefficient > since you have to sweep through CAs/CRLs with pki --print to figure out > the correct chain in order to use them with pki --verify.
You can just pass it all the CA certs/CRLs you (or rather the daemon) trust. Unless you have e.g. configs with CA cert constraints there is not really a need to pass the exact chain to figure out whether a certificate is valid and trusted by the daemon. > Thanks for > letting me know abot pki-verify-dirs. Sounds like what I'm looking for. > I wish I knew it exists before wasting time on scripting :-). It didn't, I quickly put that together this morning :-) > Is that branch going to be merged any time soon? Probably not with the upcoming release, but maybe the next one. Regards, Tobias