6 Mar
2006
6 Mar
'06
3:48 p.m.
Is there already a way to accept certs only from a particular issuer? For example, if we have a root CA (A), that issues another CA cert (B), from which our client certs will be issued, our CA_file must contain both A & B certs to validate our clients. However, certs issued directly from A will then also be valid. I'm about to add a check_cert_issuer (PW_TYPE_STRING_PTR) config option set to the DN of the issuer we want to use, and a string compare in cbtls_verify() just before the check_cert_cn happens. Does that sound about right? --ben