On 7/7/2014 2:40 AM, Sanjaya Joshi wrote: > Hello, > My application uses openssl 1.0.0, and it uses X509_check_ca() to > find out if an X509 certificate is a CA certificate, or an End-entity > (EE) certificate. > > The below are the possible return codes. > > /* return codes of X509_check_ca(): > * 0 not a CA > * 1 is a CA > * 2 basicConstraints absent so "maybe" a CA > * 3 basicConstraints absent but self signed V1. > * 4 basicConstraints absent but keyUsage present and > keyCertSign asserted. > */ > > My question here is, if we get return code as 4, should we consider > this as a CA certificate or an EE certificate ? > > Any quick support in this regard is much appreciated. > Regards, > Sanjaya
This depends on your environment, and the types of certificates that the CAs used issue. The reason the codes are differentiated is because the authors of the library can't make a blanket determination for the library's clients. :P -Kyle H
smime.p7s
Description: S/MIME Cryptographic Signature
