On Wed, Dec 22, 2010, Pingzhong Li wrote: > > Didn't see any reply, thought I will ask one simpler questions again. > > If for one root Certificate, there are both expired and unexpired cert (same > DN) at the CA file, which one will be used during certificate verification? > >From testing, if there are only those 2 certs at the CA file, the > certificate at later of CA file will be used. However if there are quite a > few certs at the CA file, this doesn't hold any more, it seems that the > sequence at the CA file doesn't matter any more. Could any one shed some > lights on this? >
At present which certificate is used is a matter of luck: so you shouldn't include expired certificates in the trusted store. In future the algorithm used will be enhanced so it can handle this situation properly and ignore expired certificates is an unexpired one exists. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
