Verify a certificate with a list of untrusted intermediate certificates

Hello everyone,

I am trying to verify a certificate with the mbedtls_x509_crt_verify function. I can pass a list of trusted CAs with the “trust_ca”-parameter. My problem is that I also have a list of intermediate CAs which I do not trust but should be used to build the certificate chain. Something like the chain-parameter in the OpenSSL function X509_STORE_CTX_init. According to the documentation I can pass the certificate chain to the mbedtls_x509_crt_verify-function via the crt-parameter but is there a possibility to build that chain with a list of untrusted intermediate CAs?

Thank you very much

Hi @ckmk14
As long as the root of your certificate chain is signed by the key of your trusted CA, then it should work. The certificate verification c\flow checks the certificate with its parent, and with the trusted CA list, until it reaches the root. If the root of your chain fails on verification, because there is no matching trusted CA, then verification of your whole certificate chain would fail.
Of course, depending on your platform, you might encounter memory issues, on long certificate chains.
Mbed TLS Team member