Sortix
current nightly

Sortix nightly manual

This manual documents Sortix nightly, a development build that has not been officially released. You can instead view this document in the latest official manual.

NAME

X509_check_cacheck whether a certificate is a CA certificate

SYNOPSIS

#include <openssl/x509v3.h>
int
X509_check_ca(X509 *cert);

DESCRIPTION

The X509_check_ca() function checks whether the given certificate is a CA certificate, that is, whether it can be used to sign other certificates.

RETURN VALUES

If cert is a CA certificate, a non-zero value is returned; 0 otherwise.
The following return values identify specific kinds of CA certificates:
1
an X.509 v3 CA certificate with basicConstraints extension CA:TRUE
3
a self-signed X.509 v1 certificate
4
a certificate with keyUsage extension with bit keyCertSign set, but without basicConstraints
5
a certificate with an outdated Netscape Certificate Type extension telling that it is a CA certificate

SEE ALSO

BASIC_CONSTRAINTS_new(3), EXTENDED_KEY_USAGE_new(3), X509_check_issued(3), X509_check_purpose(3), X509_EXTENSION_new(3), X509_new(3), X509_verify_cert(3)

HISTORY

X509_check_ca() first appeared in OpenSSL 0.9.7f and has been available since OpenBSD 3.8.

BUGS

If X509_check_ca() fails to cache X509v3 extension values, the return value may be incorrect. An application should call X509_check_purpose(3) with a purpose argument of -1, ensuring that the X509v3 extensions are cached, before calling X509_check_ca().
Copyright 2011-2025 Jonas 'Sortie' Termansen and contributors.
Sortix's source code is free software under the ISC license. 		#sortix on irc.sortix.org
@sortix_org