On Thu, Nov 20, 2008 at 01:29:25AM +0800, Talasila, Ravikanth wrote:
> Hi,
>
>
>
> Using OpenSSL API
>
> 1. How to find that a certificate is expired? Which API deals with
> this?
> 2. How to move an expired certificate to revocation list? Is it
> done automatically?
Expired certificates don't need to be revoked. Only unexpired ones that
have become compromised may be revoked, but you can't expect all clients
to check revoacation lists, unless you also control the clients.
> 3. How certificates are verified at server side? If a bunch of
> certificates available (inside a pem file), all these are verified to
> match the client certificate?
OpenSSL only verifies the trust chain (and checks the expiration
dates, ...), and optionally checks revocation lists (if you import
the appropriate CRL into your X509_STORE) it is up to you to determine
whether the subject of the specific certicate is *authorized* to access
the service.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
