> Unless I overlooked something the new OpenSSL-1.1.0 does not allow access > to the ex_nscert data of the X509 object. Would it be possible to add such > function to the API? Yes. Missing accessors are bugfixes and can go into a 1.1.0 update. Please open an issue or even better a PR.