Checking CA expiration

Michael Welsh Duggan mwd at
Thu Oct 20 21:37:13 CEST 2011

Nikos Mavrogiannopoulos <nmav at> writes:

> On 10/19/2011 08:30 PM, Michael Welsh Duggan wrote:
>> In our code, we add CAs to our credentials using
>> gnutls_set_x509_trust_file.  In gnutls 2.x, we then get a list of the
>> CAs using gnutls_certificate_get_x509_cas which we then use to verify
>> that at least one of the CAs has not yet expired.  We want to do this
>> _before_ initiating a session.
>> Is this possible in gnutls 3.x?  gnutls_certificate_get_x509_cas has
>> gone away, supposedly in favor of gnutls_certificate_get_issuer(), but
>> that requires an existing session.
> Why not use gnutls_x509_crt_list_import() or 
> gnutls_x509_crt_list_import2() and traverse the list of the CAs? The 
> access to the the CA list in the credentials structure has been 
> restricted to allow for future internal changes.

Yup this works.  There are so many API calls, it can be difficult to
determine which ones to use.

Michael Welsh Duggan
(mwd at

More information about the Gnutls-help mailing list