X509_CHECK_CA(3)           Library Functions Manual           X509_CHECK_CA(3)

NAME
     X509_check_ca - check whether a certificate is a CA certificate

SYNOPSIS
     #include <openssl/x509v3.h>

     int
     X509_check_ca(X509 *cert);

DESCRIPTION
     The X509_check_ca() function checks whether the given certificate is a CA
     certificate, that is, whether it can be used to sign other certificates.

RETURN VALUES
     If cert is a CA certificate, a non-zero value is returned; 0 otherwise.

     The following return values identify specific kinds of CA certificates:

     1   an X.509 v3 CA certificate with basicConstraints extension CA:TRUE

     3   a self-signed X.509 v1 certificate

     4   a certificate with keyUsage extension with bit keyCertSign set, but
         without basicConstraints

     5   a certificate with an outdated Netscape Certificate Type extension
         telling that it is a CA certificate

SEE ALSO
     BASIC_CONSTRAINTS_new(3), EXTENDED_KEY_USAGE_new(3),
     X509_check_issued(3), X509_check_purpose(3), X509_EXTENSION_new(3),
     X509_new(3), X509_verify_cert(3)

HISTORY
     X509_check_ca() first appeared in OpenSSL 0.9.7f and has been available
     since OpenBSD 3.8.

BUGS
     If X509_check_ca() fails to cache X509v3 extension values, the return
     value may be incorrect.  An application should call X509_check_purpose(3)
     with a purpose argument of -1, ensuring that the X509v3 extensions are
     cached, before calling X509_check_ca().

Linux 6.8.2-arch2-1              May 10, 2022              Linux 6.8.2-arch2-1