[openssl-users] Certificate Verify and non-root Trust Anchors

Dr. Pala director at openca.org
Mon Dec 11 22:06:48 UTC 2017

Hi all,

I am trying to verify a certificate and provide the possibility to 
directly trust an intermediate CA's certificate (not self-signed). After 
setting up the STORE and STORE_CTX and add the intermediate CA to the 
trusted certificates, when I use the "X509_verify_cert(ctx)" I get the 
usual "unable to get issuer certificate" - which would be fine for a 
"non-trusted" cert, but I would expect that to not be an issue for a 
trusted certificate.

Therefore, my question is what is the best method to have that behavior ?

I tried to use the certificate callback to do that, but there is no 
function to get the trusted certificates' stack (i.e., there is a 
X509_STORE_CTX_get0_untrusted() but there is no equivalent for the 
trusted certificates' stack) - so I could not verify if the current 
certificate (in the verify callback call) is in the trusted stack or not...

Maybe there are flags / trust settings that can be used instead ?


Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171211/c2272008/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: doefdnpajoggmgfb.png
Type: image/png
Size: 3146 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171211/c2272008/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3994 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171211/c2272008/attachment.bin>

More information about the openssl-users mailing list