On Tue, May 27, 2014, Viktor Dukhovni wrote: > On Tue, May 27, 2014 at 03:44:46PM +0200, Sven Reissmann wrote: > > > But, should't it also be possible to only verify the trust chain up to > > the subCA (i.e., if I fully trust this CA)? I would have expected that > > this will verify sucessfully: > > OpenSSL versions prior to 1.0.2 require that all trusted certificates > be self-signed. In 1.0.2 it is possible to use X509_verify_cert() > with a trust anchor that is not self-signed, but I don't recall > whether this is possible through the CLI. >
It is with the -parial_chain option. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
