You can find out if the V1 cert verifies directly with any of the certificates in the trust store or its own public key. There's pretty much nothing else you can do with it, other than try to link it to a Distinguished Name that may or may not be useful.
Also, (EXFLAG_V1|EXFLAG_SS) doesn't tell you if it's intended to be a CA certificate. X.509 actually disclaims the idea of self-signed certificates altogether (except as containers for trust anchors). -Kyle H On Tue, Sep 25, 2012 at 10:33 PM, sanjaya joshi <joshi.sanj...@gmail.com> wrote: > Hi steve, > Thanks. Got it. > That means we can't differentiate between CA and end-entity in case of V1 > certificate. > We can only find out if the V1 cert is a self-signed certificate or not. > Correct ? > > Regards, > Sanjaya > > > On Wed, Sep 26, 2012 at 2:36 AM, Dr. Stephen Henson <st...@openssl.org> > wrote: >> >> On Tue, Sep 25, 2012, sanjaya joshi wrote: >> >> > >> > We can conclude an X509 V1 certificate to be a root ca using >> > (EXFLAG_V1|EXFLAG_SS). >> > Similarly, is there a way to know whether an X509 V1 certificate is an >> > intermediate CA or end-entity certificate ? >> > >> >> You can't: there is nothing in a V1 certificate to mark it as a CA. You >> can't >> actually be sure it is a root CA using the test you mentioned above: it >> could >> be a self signed end entity certificate. >> >> Steve. >> -- >> Dr Stephen N. Henson. OpenSSL project core developer. >> Commercial tech support now available see: http://www.openssl.org >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
