On Mon, Jan 16, 2012, Eisenacher, Patrick wrote: > > -----Original Message----- > > From: Steffen DETTMER > > > > * Johannes Bauer wrote on Fri, Jan 13, 2012 at 14:22 +0100: > > [...] > > > >>> Or, in other words: Let's assume I have a ultimate root > > > >>> (self-signed) "Root" and a branched CA "X". I would like to > > > >>> trust "X" and all it's children, but not "Root". Is this > > > >>> not possible? > > [yes, it is not possible "by default"] > > > > > Thank you for your clarification. I also do not really see the > > > point why the anchor of trust has to be self-signed. > > > > I also wondered about this time ago. I think when a user > > explicitely puts a sub-CA or even a non-CA certificate into the > > database of trusted certificates, chain verification could stop > > there without knowing the root-CA. > > If I remember correctly, there is work going on to enable such functionality > in an upcoming release. Perhaps Steve can shed some light on its status. >
There is experimental support for this in HEAD only. You need to set an explicit trust option on the intermediate CA and it should verify OK even if the root is absent. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
