On Thu, Nov 20, 2008 at 01:29:25AM +0800, Talasila, Ravikanth wrote: > Hi, > > > > Using OpenSSL API > > 1. How to find that a certificate is expired? Which API deals with > this? > 2. How to move an expired certificate to revocation list? Is it > done automatically?
Expired certificates don't need to be revoked. Only unexpired ones that have become compromised may be revoked, but you can't expect all clients to check revoacation lists, unless you also control the clients. > 3. How certificates are verified at server side? If a bunch of > certificates available (inside a pem file), all these are verified to > match the client certificate? OpenSSL only verifies the trust chain (and checks the expiration dates, ...), and optionally checks revocation lists (if you import the appropriate CRL into your X509_STORE) it is up to you to determine whether the subject of the specific certicate is *authorized* to access the service. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]