On Fri, Dec 19, 2014 at 08:47:55AM -0500, Daniel Kahn Gillmor wrote: > Does OpenSSL have documented someplace exactly what it means to have a > "TRUSTED CERTIFICATE"?
It is a certificate + auxiliary data which specifies a friendly name plus a set of EKUs. > For example, say we're talking about a certificate that i am willing to > accept for the peer foo.example. If i mark it TRUSTED and it has > another SubjectAltName of bar.example, will OpenSSL subsequently accept > it for bar.example as well? http://marc.info/?l=openssl-dev&m=115218769327835&w=2 There is no explicit association with a particular peer, it is up to the application to add corresponding "trusted certificates" to the store when validating particular peers for which such certificates have been configured. If such a certificate is added to the default store, then it will apply to all cases with a matching EKU. -- Viktor. _______________________________________________ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev