If I have RootCA -> IntermediateCA -> ServerCert current OpenSSL will only support trusting RootCA, not trusting IntermediateCA or ServerCert.
I see in http://old.nabble.com/Verify-intermediate-certificate-td33129488.html that there's an experimental new flag X509_V_FLAG_TRUSTED_FIRST that will help. However, it looks like it will only help with IntermediateCA; it doesn't look like it will help if all I want to trust is the leaf certificate ServerCert. (It appears to act by checking to see if a cert's issuer is in the trust store, and the leaf cert isn't an issuer.) It seems to me that one of the checks should be, like the self-signed-cert check, whether the cert in question is already in the trust store. Comments? ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org