trusted intermediate CAs

Simon Josefsson simon at
Wed Nov 12 09:29:41 CET 2008

Daniel Kahn Gillmor <dkg at> writes:

> i think certtool(1) is problematic in that way, fwiw:
>       -e, --verify-chain
>               Verify a PEM encoded certificate chain.  The last certificate in
>               the chain must be a self signed one.

Btw, note that certtool -e does not use the same chain validation
algorithm as the GnuTLS library uses -- I believe certtool -e would have
rejected the faulty gnutls-sa-2008-3 chain.


More information about the Gnutls-devel mailing list