On Friday, February 8, 2013 9:08:50 PM UTC, Brian Smith wrote: > pass....@googlemail.com > > > I use SSL_ConfigSecureServer with a certificate which was created in > > > memory (no db). The certificate was created with the > > > CERT_CreateCertificate passing the CA's issuer. The same cert was > > > also signed with the CA's key. The CA cert was also created on the > > > fly, i.e. without the need to setup a DB. My understandings are that > > > SSL_ConfigSecureServer will extract the chain from the certificate > > > using CERT_CertChainFromCert but since at no stage I am somehow > > > embeding the CA into the resulting cert how is this going to work? > > > > > > I am not sure if it is possible to embed the CA cert data in the cert > > > created by CERT_CreateCertificate. If this is possible, can you > > > point me to an example how this is done? > > > > Every time you create a CERTCertificate object, NSS adds the certificate to a > hidden global hash table in memory, keyed by the subject name. When doing > certificate path building (CERT_CertChainFromCert, CERT_VerifyCert, et al.) > NSS looks up the issuer names in that global hash table. Consequently, as > long as you have a reference to the CERTCertificate for the certs in the cert > chain at the time libssl calls CERT_CertChainFromCert, libssl will be able to > construct the cert chain correctly. > > > > Cheers, > > Brian
Thanks for the reply Brian. It doesn't seems to be working though. I will have another look but I am wondering if I am creating my CA certificate correctly. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
