How do you explicitly not trust a particular certificate (especially, CA certificate) for OpenSSL?
On NSS-based applications, one can install the cert with trustarg p: prohibited (explicitly distrusted). In this way, say we we have
Verisign ---> Some_CA_I_dont_trust ---> ... ---> Some Site
I can remove trust of Some_CA_I_dont_trust without affecting others from Verisign.
However, it doesn't seem to be the case if I add a ! to the corresponding line in /etc/ca-certificates.conf and execute update-ca-certificates. OpenSSL happily accept the certificate even though intermediate CA is not on my system.
Aucun commentaire:
Enregistrer un commentaire