> On Aug 26, 2019, at 5:24 AM, forston_shi@xxxxxxxxxxxxxx wrote: > > We check a sub-certificate with a lot of root certificates. > We don’t want to check sub-certificate’s expire time, but we want to get an error when root certificate expired. > > I try to verify it by following option, > X509_VERIFY_PARAM* pm = X509_STORE_CTX_get0_param(xstore_ctx); > X509_VERIFY_PARAM_set_flags(pm, X509_V_FLAG_NO_CHECK_TIME); > > iret = X509_verify_cert(xstore_ctx); > > But it also will ignore root certificate’s expire. > > So, can you give me some suggestion for my question. To ignore expiration of only the leaf certificate, you need a verification callback that checks the error reason at depth 0 and if it is expiration, returns "ok = 1" anyway. -- Viktor.
