On Sun, Jul 09, 2017, Matthew Stickney wrote: > The Certificate Manager in Windows does allow you to change the trust > settings for root certs (including the purposes reported by openssl > x509 -purpose), although those changes don't appear to be reflected in > the cert dumped from the store (so they must be stored externally). >
Yes they're external properties. The certificate encoding returned can't be modified of course because that would break the signature. I think I did some experiments with CertGetEnhancedKeyUsage() and CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG before. IIRC this reflected system settings but not those visible in the MSIE dialogs: that is changing the setting in MSIE didn't change the values returned by that API. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev