gnutls_certificate_set_verify_limits - Linux


gnutls_certificate_set_verify_limits manipulates certificate verification limits, specifically regarding path length, key usage, and constraints. This command is crucial for ensuring the validity and authenticity of certificates within the context of TLS/SSL communication.


gnutls_certificate_set_verify_limits(certificate, depth, key_usage, key_usage_critical, extension_critical)


  • certificate: Pointer to the X.509 certificate to be verified.
  • depth: Maximum allowed depth of certificate chain validation.
  • key_usage: Bitmask of key usage flags to check for validity.
  • key_usage_critical: Boolean value indicating whether the Key Usage extension is considered critical.
  • extension_critical: Boolean value indicating whether extension constraints are considered critical.


Example 1: Limit Certificate Chain Depth

int ret = gnutls_certificate_set_verify_limits(cert, 5, 0, 0, 0);
if (ret < 0) {
  // Error handling

Example 2: Enforce Key Usage

int ret = gnutls_certificate_set_verify_limits(cert, 0, GNUTLS_KU_DIGITAL_SIGNATURE | GNUTLS_KU_KEY_ENCIPHERMENT, 1, 0);
if (ret < 0) {
  // Error handling

Common Issues

  • Invalid depth limit: Users may encounter errors if the depth limit is set too low, resulting in an incomplete certificate chain validation.
  • Missing Key Usage: If a certificate lacks the necessary key usage flags, verification may fail when key_usage_critical is set to true.


gnutls_certificate_set_verify_limits can be used in conjunction with other GnuTLS functions for comprehensive certificate validation.

gnutls_certificate_verify_peers2(session, hostname);

Related Commands

  • gnutls_certificate_verify_peers2: Verifies the peer certificates against a trust store.
  • gnutls_certificate_get_verify_status: Retrieves the verification status of a certificate.