table of contents
| X509_CHECK_CA(3) | Library Functions Manual | X509_CHECK_CA(3) |
NAME¶
X509_check_ca —
check whether a certificate is a CA certificate
SYNOPSIS¶
#include
<openssl/x509v3.h>
int
X509_check_ca(X509 *cert);
DESCRIPTION¶
The
X509_check_ca()
function checks whether the given certificate is a CA certificate, that is,
whether it can be used to sign other certificates.
RETURN VALUES¶
If cert is a CA certificate, a non-zero value is returned; 0 otherwise.
The following return values identify specific kinds of CA certificates:
- 1
- an X.509 v3 CA certificate with basicConstraints extension CA:TRUE
- 3
- a self-signed X.509 v1 certificate
- 4
- a certificate with keyUsage extension with bit keyCertSign set, but without basicConstraints
- 5
- a certificate with an outdated Netscape Certificate Type extension telling that it is a CA certificate
SEE ALSO¶
BASIC_CONSTRAINTS_new(3), EXTENDED_KEY_USAGE_new(3), X509_check_issued(3), X509_check_purpose(3), X509_EXTENSION_new(3), X509_new(3), X509_verify_cert(3)
HISTORY¶
X509_check_ca() first appeared in OpenSSL
0.9.7f and has been available since OpenBSD 3.8.
BUGS¶
If X509_check_ca() fails to cache X509v3
extension values, the return value may be incorrect. An application should
call X509_check_purpose(3) with a
purpose argument of -1, ensuring that the X509v3
extensions are cached, before calling
X509_check_ca().
| May 10, 2022 | Linux 6.4.0-150600.23.25-default |