|
Hi,Steve,
Thanks for your
answer.
But if by default, I have to prepare the whole
certificate chain in the X509_STORE, what is the difference between X509_STORE
and STACK_OF(X509) in OCSP case? The certificates in STORE are still need to be
verified when verifying the certificate of the signer of the OCSP.
OR,Can I understand like as
follows ?
The STACK_OF(X509) is just like an optional choice to
the user.
If the user feel there will be a gap between the
leaf certificate in the X509_STORE and the certificate of the OCSP response
signer . That is , the leaf certificate in the STORE is NOT the direct signer to
the certificate of the response signer.
He can input some more certificates to fill the gap
so that the whole chain from the root CA to the OCSP response Signer certificate
can be set up.
Can I say like above ?
thanks again
wjw
----- Original Message -----
Sent: Saturday, June 14, 2003 4:02
AM
Subject: Re: about the X509_STORE of
OCSP
On Fri, Jun 13, 2003, Wu Junwei wrote:
>
Hi,all > when I
use openssl ocsp
-issuer xxx -cert XXXX -url xxx -CAfile >
xxx... to get the ocsp resposne, and verify
it. > Do I need to setup up the whole chain from the root CA to the
entry CA in > the CAfile or CApath? > > I mean , when I set
the trusted certificate(s) in the X509_STORE, do I need > to insert the
root CA or upper level CA of the trusted certificate into the >
STORE? > Can I just input the trusted certificate into the STORE ( this
trusted > certificate is not root CA )? > In the default case
you need any certificate in the responder chain that is not part of the
response including the root.
This however can be customised by the
various flags depending on whatever trust model is appropriate to the
responder in question.
Steve. -- Dr Stephen N. Henson. Core
developer of the OpenSSL project: http://www.openssl.org/ Freelance
consultant see: http://www.drh-consultancy.demon.co.uk/ Email:
[EMAIL PROTECTED],
PGP key: via
homepage. ______________________________________________________________________ OpenSSL
Project
http://www.openssl.org User Support
Mailing
List
[EMAIL PROTECTED] Automated
List
Manager
[EMAIL PROTECTED]
|