------=_Part_6599_23813770.1206553887541
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hi,
I had a set of related questions regarding the trusted CA store and
certificate chaining:

1. Lets say we have a chain of the form RootCA -> SubCA ->
Server-certificate.
Now, Will the openssl verify function be able to verify if I give only
the SubCA as the trusted CA Cert and the above chain as the certificate to
verify.
2. Is it possible to load more than one CA directories by calling
SSL_CTX_load_verify_locations repeatedly. If no, then what can be done if we
want to load the CA certs in >1 different directories into the SSL_CTX
3. Is there a way to know, after the certificate verification on an SSL
Connection, which certificate in the chain was trusted. I mean, is there any
API call which will give me the certificate that was trusted. I know about
the ssl_get_peer_cert_chain but this gives the whole chain and I am
interested only in the trusted CA certificate which satisfied the
verification procedure.

Thanks.

------=_Part_6599_23813770.1206553887541
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hi,
I had a set of related questions regarding the trusted CA store and certificate chaining:

1. Lets say we have a chain of the form RootCA -> SubCA -> Server-certificate.
    Now, Will the openssl verify function be able to verify if I give only the SubCA as the trusted CA Cert and the above chain as the certificate to verify.

2. Is it possible to load more than one CA directories by calling SSL_CTX_load_verify_locations repeatedly. If no, then what can be done if we want to load the CA certs in >1 different directories into the SSL_CTX
3. Is there a way to know, after the certificate verification on an SSL Connection, which certificate in the chain was trusted. I mean, is there any API call which will give me the certificate that was trusted. I know about the ssl_get_peer_cert_chain but this gives the whole chain and I am interested only in the trusted CA certificate which satisfied the verification procedure.


Thanks.


------=_Part_6599_23813770.1206553887541--
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org