[Help-gnutls] Verifying peer's certificate: how to handle certificate chains?

Martin Lambers marlam at web.de
Thu Apr 22 23:18:10 CEST 2004


I'm currently using the example code from the documentation section
"Verifying peer's certificate" to verify certificates. A comment 
there says that "Real world programs should be able to handle 
certificate chains as well".

How? Must *every* certificate in the chain pass all tests (import, 
expiration time, activation time, and hostname), or is it sufficient 
that there is *one* certificate that passes all tests?

I assume *every* certificate must pass the import, expiration time, 
and activation time tests, but only *one* (the first in the chain??) 
must pass the hostname check. Is this correct?


More information about the Gnutls-help mailing list