Hi,Steve,
 
    Thanks for your answer.
 
But if by default, I have to prepare the whole certificate chain in the X509_STORE, what is the difference between X509_STORE and STACK_OF(X509) in OCSP case? The certificates in STORE are still need to be verified when verifying the certificate of the signer of the OCSP.
 
OR,Can I understand like as follows ?
 
The STACK_OF(X509) is just like an optional choice to the user.
If the user feel there will be a gap between the leaf certificate in the X509_STORE and the certificate of the OCSP response signer . That is , the leaf certificate in the STORE is NOT the direct signer to the certificate of the response signer.
He can input some more certificates to fill the gap so that the whole chain from the root CA to the OCSP response Signer certificate can be set up.
 
Can I say like above ?
 
thanks again
wjw
 
----- Original Message -----
Sent: Saturday, June 14, 2003 4:02 AM
Subject: Re: about the X509_STORE of OCSP

On Fri, Jun 13, 2003, Wu Junwei wrote:

> Hi,all
> when I use           openssl ocsp -issuer xxx -cert XXXX -url xxx -CAfile
> xxx...      to get the ocsp resposne, and verify it.
> Do I need to setup up the whole chain from the root CA to the entry CA in
> the CAfile or CApath?
>
> I mean , when I set the trusted certificate(s) in the X509_STORE, do I need
> to insert the root CA or upper level CA of the trusted certificate into the
> STORE?
> Can I just input the trusted certificate into the STORE ( this trusted
> certificate is not root CA )?
>
In the default case you need any certificate in the responder chain that is
not part of the response including the root.

This however can be customised by the various flags depending on whatever
trust model is appropriate to the responder in question.

Steve.
--
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to