If I have
RootCA -> IntermediateCA -> ServerCert
current OpenSSL will only support trusting RootCA, not trusting
IntermediateCA or ServerCert.
I see in
http://old.nabble.com/Verify-intermediate-certificate-td33129488.html
that there's an experimental new flag X509_V_FLAG_TRUSTED_FIRST that
will help.
However, it looks like it will only help with IntermediateCA; it doesn't
look like it will help if all I want to trust is the leaf certificate
ServerCert. (It appears to act by checking to see if a cert's issuer is
in the trust store, and the leaf cert isn't an issuer.)
It seems to me that one of the checks should be, like the
self-signed-cert check, whether the cert in question is already in the
trust store.
Comments?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
