I will try to include complete attachments with examples. In the mean time I had to say that I was also told (aside from the one of the replies on this thread) that the enforcement of the constraints would be at the time of verification. Therefore I took the following steps to "verify" the produced certificates. Neither one actually complained at all about the compliance with the constraint.
1. Using "openssl verify" openssl verify -CAfile trusted.pem -policy_check -x509_strict badcert.pem "trusted.pem" is a concat of my root CA and the sub-CA certs. Results: badcert.pem: OK 2. Using "openssl s_client/s_server" too elaborate to detail -- but basically i used the badcert.pem as the client SSL cert and then asked the server to verify. The server verified and without any problems it established the SSL connection and I could send messages back and forth. Client: openssl s_client -connect localhost:4433 -cert badcert.pem -key badkey.pem -debug Server: openssl s_server -accept 4433 -verify 10 -CAfile trusted.pem -debug -msg -cert srvcert.pem -key srvkey.pem This email contains Morega Systems Inc. Privileged and Confidential information. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
