[Help-gnutls] Verifying peer's certificate: how to handle certificate chains?
nmav at gnutls.org
Fri Apr 23 08:39:26 CEST 2004
On Friday 23 April 2004 00:18, Martin Lambers wrote:
> I'm currently using the example code from the documentation section
> "Verifying peer's certificate" to verify certificates. A comment
> there says that "Real world programs should be able to handle
> certificate chains as well".
> I assume *every* certificate must pass the import, expiration time,
> and activation time tests, but only *one* (the first in the chain??)
> must pass the hostname check. Is this correct?
Yes this is correct. The first certificate in the chain belongs to the host.
The other certificates belong to intermediate CAs that certified that host.
More information about the Gnutls-help