Ultimately, you cannot prevent it; as long as the user has control of
their machine, they can "spoof" anything they want. You can, however,
make it more difficult/inconvenient for them.
For example, encode the DER form of your CA key directly into your
executable, then call d2i_xxx to get the public key, then use that to
verify the cert.
/r$
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
