I'm trying to use 'openssl verify' to verify a certificate chain for
which I have (and trust) the root CA certificate.
Verify just returns 'OK' whenever there's any self-signed certificate
anywhere in the certificate chain. I can't figure out how to specify
that my root CA certificate is the only acceptable one. Any ideas?
Suppose I'm trying to authenticate something using verify. All they
have to do is give me a self-signed certificate and it verifies fine.
This doesn't seem too secure. How can I prevent this?
Also, in the same code (the 'cb' function in apps/verify.c), expired
certificates are accepted. Why is this? I would think that expired
certificates in the certificate chain should be an error rather than
just a warning.
I also can't get the -CApath option to work. I think openssl just
ignores files in the directory I specify using this option. Is there
something I'm missing?
Cheers,
-Ian Alderman
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
