trusted intermediate CAs

[Simon Josefsson]

Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:

> i think certtool(1) is problematic in that way, fwiw:
>
>       -e, --verify-chain
>               Verify a PEM encoded certificate chain.  The last certificate in
>               the chain must be a self signed one.

Btw, note that certtool -e does not use the same chain validation
algorithm as the GnuTLS library uses -- I believe certtool -e would have
rejected the faulty gnutls-sa-2008-3 chain.

/Simon