Hi, I have an application which wants to do verification of a certificate. Not in the context of a context or a signature, but simply to verify if the certificates are still valid and from a source that is correct in the context in which the application runs. I used libcrypto to parse out the OCSP URL from the certificate validate it against a whitelist of valid OCSP URLs, send an OCSP request and validate the response and its signature against a custom certificate store, and then parse out the result. Two points on that: - This seems like something that should be in libcrypto rather than in my own code. Did I miss something obvious? - Currently I don't fall back to CRLs when the OCSP server is unavailable. I would like to do so; however, I can't figure out how to validate the signature on a CRL (which would be a pretty obvious failure). Alternatively, is there an obvious alternative thing that I should be doing, rather than manually parsing the CRL? Thanks, -- Wouter Verhelst -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
