39 In general, according to RFC 4158 and RFC 5280, a I<trust anchor> is
44 In practice, trust anchors are given in the form of certificates,
50 is used for matching trust anchors during chain building.
52 In the most simple and common case, trust anchors are by default
53 all self-signed "root" CA certificates that are placed in the I<trust store>,
55 This is akin to what is used in the trust stores of Mozilla Firefox,
58 From the OpenSSL perspective, a trust anchor is a certificate
60 uses of a target certificate the certificate may serve as a trust anchor.
62 Such a designation provides a set of positive trust attributes
63 explicitly stating trust for the listed purposes
64 and/or a set of negative trust attributes
79 is considered a trust anchor for the given use
86 It is an an element of the trust store.
90 It does not have a negative trust attribute rejecting the given use.
94 It has a positive trust attribute accepting the given use
104 and ending in a trust anchor.
115 In this case it must fully match a trust anchor, otherwise chain building fails.
141 The lookup first searches for issuer certificates in the trust store.
164 The third step is to check the trust settings on the last certificate
168 with no trust attributes is considered to be valid for all uses.
190 that can be used as trust anchors for certain uses.
191 As mentioned, a collection of such certificates is called a I<trust store>.
193 Note that OpenSSL does not provide a default set of trust anchors.  Many
195 to that.  Mozilla maintains an influential trust store that can be found at
198 The certificates to add to the trust store
207 PEM-encoded certificates may also have trust attributes set.
216 i.e., a trust store.
371 I<trust anchor>, which is either directly trusted or validated by means
383 (because it has no matching positive trust attributes and is not self-signed)
384 but is an element of the trust store.
415 Each of them qualifies as trusted if has a suitable positive trust attribute
419 only certificates specified using the B<-trusted> option are trust anchors.
427 construct a certificate chain from the target certificate to a trust anchor.
474 end-entity certificate nor the trust-anchor certificate count against the
494 Use default verification policies like trust model and required certificate
496 The trust model determines which auxiliary trust or reject OIDs are applicable
502 These mimics the combinations of purpose and trust settings used in SSL, CMS
504 As of OpenSSL 1.1.0, the trust model is inferred from the purpose when not

Last Index update Fri Nov 22 14:03:13 UTC 2024

Dedicated to & Maintained by Room-11