Re: OpenSSL on the MacOS

Sun, 7 Mar 1999 20:41:12 -0500 

CJ Holmes wrote:
> 
> 
> >> 4) Are there any plans to support chained certificates?  This is an area
> >> that I'm willing to contribute some time to, if there is interest (an
> >> nobody has already done it).
> >
> >Sorry, I don't know what exactly you mean with "chained certificates".
> >SSLeay/OpenSSL always supported certificate chains because that's how the
> >X.509 certificate systems works.
> 
> I'm thinking about Netscape certificates or PKCS#7 certificates, which
> contain not only the subject cert but also the signer cert and possibly
> intermediate signer cert(s).  In SSLeay 0.9.0, calling
> SSL_CTX_use_certificate_ASN1() with a PKCS#7/NS cert chain results in an
> error.
> 
> Maybe there's another way to do it by using the x509.h calls directly, but
> certain aspects of the library are, shall we day, "lightly" documented.

This is supported already if you don't mind converting them to a form
OpenSSL understands.

Firstly you have to pull the certificate chains apart into their
separate certificates. E.g. 

openssl pkcs7 -in file.pem -print_certs -out certs.pem
openssl nsseq -in seq.pem -out certs.pem

Then manually cut up certs.pem into seperate files.

>From then on you can proceed in two ways.

The old way is that you just have to make the chain (that is all
certificates except the server certificate itself) trusted in the same
way as client CA chains. The server chain is then automatically built
up: you can check this with s_client.

The other way is to add the extra certificates to a list of "extra
certificates" using  SSL_CTX_add_extra_chain_cert(ctx,x509). Again
s_client can be used to see that the chain is sent.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Email: [EMAIL PROTECTED] PGP key: via homepage.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to