question about certificate verify
Viktor Dukhovni
openssl-users at dukhovni.org
Mon Aug 26 13:59:40 UTC 2019
> On Aug 26, 2019, at 5:24 AM, forston_shi at trendmicro.com wrote:
>
> We check a sub-certificate with a lot of root certificates.
> We don’t want to check sub-certificate’s expire time, but we want to get an error when root certificate expired.
>
> I try to verify it by following option,
> X509_VERIFY_PARAM* pm = X509_STORE_CTX_get0_param(xstore_ctx);
> X509_VERIFY_PARAM_set_flags(pm, X509_V_FLAG_NO_CHECK_TIME);
>
> iret = X509_verify_cert(xstore_ctx);
>
> But it also will ignore root certificate’s expire.
>
> So, can you give me some suggestion for my question.
To ignore expiration of only the leaf certificate, you
need a verification callback that checks the error
reason at depth 0 and if it is expiration, returns
"ok = 1" anyway.
--
Viktor.
More information about the openssl-users
mailing list