[email protected] writes: > Thank you both for your answers. It's not really necessary for me to send > more than one certificate. However, it is necessary for the client to be > able to send proxies.
You mean proxy certs (RFC 3820)? Then that shouldn't be a problem -- they are part of the client cert chain that traces back to the CA. I believe this is how you are supposed to use proxy certs. > Does this mean that the certificates which are used to create the > proxies must be "registered" as trusted in the server? GnuTLS will need to be teached about how to verify cert chains involving proxy certs. I suspect it will refuse validation now, since the end entity cert signs the proxy certs but doesn't have CA=false. Unless someone has added support for validating proxy certs to GnuTLS when I didn't look... > One reason I wanted to try verifying a certificate chain using the library > functions was because of a problem I'm having with the actual certificates > I need to use. Verification works in the client and server programs when > I use certificates generated by `certtool', but it fails when I use my > certificate from the DFN (Deutsches Forschungsnetz > (http://www.pki.dfn.de/index.php?id=gridroot) and its root certificate. > However, it does work to verify them using `certtool -e'. Does anyone > have an idea what the reason for this could be? Not sure -- we'd need to see the entire certificate chain to be able to debug it. >> Laurence, if this is what you're trying to do, i don't think you want to > call gnutls_certificate_set_x509_key_file twice. What you want to do is > to put the ordered certificates (end-entity cert, followed by successive > CA certs) in file A, and then the private key in a file B (only the > end-entity's private key -- there's no need to have the private key for > any intermediate CA). then call gnutls_certificate_set_x509_key_file > once, pointing to A and B. > > Thank you. It wasn't clear to me that certificates could be concatenated > in a single file. Right, I have improved the documentation: http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=2ae95bfe200b6a39bd3908bf5b74f84c643bd5e3 Thanks, /Simon _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
