OpenSSL API CRL Revoke Check: Coverage

bl4ck ness bl4cknesstr at
Sat Aug 28 01:52:36 UTC 2021


I'm trying to use OpenSSL to validate a certificate chain with CRLs. To
achieve this, I create a X509_STORE and add trusted (root) certificates
into it via X509_STORE_add_cert(). I also add CRLs published by root and
intermediate CAs into the store using X509_STORE_add_crl(). Then I create a
X509_STORE_CTX for this store and using X509_STORE_CTX_init() function I
set intermediate certs via its chain parameter and target (leaf) cert via
its x509 parameter.

When I verify cert chain using X509_verify_cert:

   - Are these CRLs checked for a valid digital signature (both CRLs root &
   intermediate) ?
   - Since store should only contain trusted root certificates why should I
   add CRLs published by intermediate certificates into the store but not to
   somewhere else (for example ctx)?
   - Documentation for X509_STORE_add_crl "Untrusted objects should not be
   added in this way". What does this mean?

Dennis K.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list