On 12/02/10 8:51 AM, skillz...@gmail.com wrote: > Is there a way (via the API rather than the tool) to tell OpenSSL that > the sub-CA certificate is trusted and it doesn't need to walk further > up the chain? For my case, I embed the sub-CA certificate in my code > and I'm space constrained so I'd prefer to not include the entire > certificate chain.
According to RFC5280 this is not allowed (See section 6). Given that if the Root revokes the Sub-CA, the EE cert is invalid, you have to check the entire chain to ensure that all parts are still valid. As a rule, you can only use self-signed certificates as trust anchors. Have fun. Patrick. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org