Just wanted to confirm an assumption, I've got 3 x509 certificates:
Root --> intermediate --> leaf
I load the intermediate certificate (but not the Root certificate) into the
x509_store and set up the verify_ctx to verify the leaf certificate.
I then use the "X509_verify_cert(verify_ctx)" function for verification but the
associated callback reports that the verification fails (i.e. ok == 0) with an
error of 2 ("unable to get issuer certificate").
I assume that if I load the intermediate as a CA that I don't have to provide
the Root to verify the leaf (i.e. I'm stating that I trust the intermediate as
the CA). Is this correct? Does the Root also need to be loaded?
This setup certainly works with 2 certs (i.e. Root --> Leaf) but I'm retrieving
the certs using the windows crypto api so I want to make sure that my openssl
verify assumption is correct before trying to run down the windows stuff.
Anybody know offhand? Thanks .. N
---
Nou Dadoun
[email protected]
604-628-1215
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
