Hello, I am using OpenSSL to implement SSL in my application, I would
like to enable trusting subordinate CA in my server (I do not want to trust the
root CA and other subordinate CA’s, only a specific subordinate CA), I
have used the verify callback and I can do this, but I have another problem in
revocation check. Since I don’t have the root CA in my trusted CA’s
list I cannot validate the CRL for the trusted subordinate CA. The only solution that I can think of is using two separated
trusted CA’s store, one for authentication (that will contain only the specific
subordinate CA) and one for revocation check (that will contain the root CA). Does
this sound like a reasonable solution? Has any one done something like this and
can provide some information on how? TX. |