Hi Goetz, Thanks again for the helpful reply.
> Let me guess: > > root CA -- signs --> client cert > \- signs --> server cert That's it. > To do verify on both sides you need: > * client: client key, client cert, root cert (to verify server cert) > * server: server key, server cert, root cert (to verify client cert) I do things pretty much as you described except for the following: > * On server: > * if your server cert is signed by the root, > you can turn off sending of the root to the cert by > SSL_CTX_set_mode(ctx,SL_MODE_NO_AUTO_CHAIN) I can't find this option (or similar) in the docs or header files. Was this added in 0.9.7 or later? On server and client: > * add the CA cert to the servers verify data > X509_STORE_add_cert(SSL_CTX_get_cert_store(ctx),root) I use SSL_CTX_load_verify_locations(ctx, root, path). Does this do the same thing? Cheers, Mark ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]