"Daniel Kahn Gillmor" <[email protected]> wrote: Date: Thu, November 26, 2009 4:14 pm
Thank you both for your answers. It's not really necessary for me to send more than one certificate. However, it is necessary for the client to be able to send proxies. Does this mean that the certificates which are used to create the proxies must be "registered" as trusted in the server? > On 11/26/2009 09:18 AM, Simon Josefsson wrote: >> The TLS protocol only allow clients to send one X.509 certificate to the >> server. I suspect that if you need to send two client certificates, something is wrong with your architecture. > One reason I wanted to try verifying a certificate chain using the library functions was because of a problem I'm having with the actual certificates I need to use. Verification works in the client and server programs when I use certificates generated by `certtool', but it fails when I use my certificate from the DFN (Deutsches Forschungsnetz (http://www.pki.dfn.de/index.php?id=gridroot) and its root certificate. However, it does work to verify them using `certtool -e'. Does anyone have an idea what the reason for this could be? > Laurence, if this is what you're trying to do, i don't think you want to call gnutls_certificate_set_x509_key_file twice. What you want to do is to put the ordered certificates (end-entity cert, followed by successive CA certs) in file A, and then the private key in a file B (only the end-entity's private key -- there's no need to have the private key for any intermediate CA). then call gnutls_certificate_set_x509_key_file once, pointing to A and B. Thank you. It wasn't clear to me that certificates could be concatenated in a single file. > hope this helps clear up confusion. Thanks again for your help. Laurence
DFN-VereinPCAGrid-G01.pem
Description: application/x509-ca-cert
_______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
