Differenciate a CA and a user certificate


Is there a way to differenciate a user certificate from a CA certificate in mbedTLS ?
Maybe a specific flag set in the mbedtls_x509_crt structure ?


Hi @Pokitoz
Thank you for your question.
I am not sure I follow you.
the CA certificate you set through mbedtls_ssl_conf_ca_chain() as a list of trusted CAs (https://github.com/ARMmbed/mbedtls/pull/2532 introduces a new way for setting the CA trusted certificates)
The device peer certificate is sent through the certificate handshake message, and stored (if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is set ) in the peer_cert member.

In addition, the mbedtls_x509_crt struct has a member ca_istrue.
Mbed TLS Team member

Thanks for your answer @roneld01. I will have a look.
I am currently loading the CA certificate using mbedtls_x509_crt_parse and I wanted to make sure that I am not loading a user certificate for checking trusted certificates.