question about certificate verify

Viktor Dukhovni openssl-users at
Mon Aug 26 13:59:40 UTC 2019

> On Aug 26, 2019, at 5:24 AM, forston_shi at wrote:
> We check a sub-certificate with a lot of root certificates.
> We don’t want to check sub-certificate’s expire time, but we want to get an error when root certificate expired.
> I try to verify it by following option,
>   X509_VERIFY_PARAM* pm = X509_STORE_CTX_get0_param(xstore_ctx);
>   X509_VERIFY_PARAM_set_flags(pm, X509_V_FLAG_NO_CHECK_TIME);
>   iret = X509_verify_cert(xstore_ctx); 
> But it also will ignore root certificate’s expire.
> So, can you give me some suggestion for my question.

To ignore expiration of only the leaf certificate, you
need a verification callback that checks the error
reason at depth 0 and if it is expiration, returns
"ok = 1" anyway.


More information about the openssl-users mailing list