trusted intermediate CAs
simon at josefsson.org
Wed Nov 12 09:29:41 CET 2008
Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:
> i think certtool(1) is problematic in that way, fwiw:
> -e, --verify-chain
> Verify a PEM encoded certificate chain. The last certificate in
> the chain must be a self signed one.
Btw, note that certtool -e does not use the same chain validation
algorithm as the GnuTLS library uses -- I believe certtool -e would have
rejected the faulty gnutls-sa-2008-3 chain.
More information about the Gnutls-devel