> From: [email protected] On Behalf Of praveen likhar > Sent: Wednesday, 27 October, 2010 04:34
> i am having .p12 pkcs12 format certificate and i want it to load > at client CA list using openssl api functions and want to use it at > verifying time. So please tell me what are the openssl api functions > for using certificate chain and how to do it. Your question isn't clear. 1. You have a pkcs12 containing a KEY AND cert (the normal use for p12) which you wish an SSL client to use to authenticate itself (to a server). Extract the key and cert and give them to SSL_[CTX_]use_PrivateKey* and SSL_[CTX_]use_certificate*. If the client cert is not directly under a CA cert known to (trusted by) the server, you need to send the chain up to the point that is trusted. I think it works if you have them in the place(s) set by SSL_CTX_load_verify_locations or SSL_CTX_set_default_verify_paths (also used by the client to verify the server). Or use SSL_CTX_add_extra_chain_cert, or put in a (single concatenated PEM) file with the entity cert and use SSL_CTX_use_certificate_chain_file file . Note an openssl client doesn't need the server to say clientCA-list correctly; it will use configured key/cert even though that doesn't match the server's request; if the server doesn't like this, it can (and must) fail the handshake. If you do want an openssl server to say clientCA-list, use SSL_[CTX_]add_client_CA or set_client_CA_list . 2. You have a pkcs12 containing only one or more certs, which is not a usual use of pkcs12 but it is permitted as far as I can see, and want to use it/them to verify something or somebody. In many cases, particularly including SSL, the sender/signer/whatever provides their cert in the data, so you don't need to have it already. That's the main benefit (or at least supposed to be) of PKI. What you do need are CA certs under which peer certs are issued, especially if not well-known CAs like Thawte/Verisign/etc. (That is, you always need the CA cert, but usually you already have or can easily get the well-known ones, so you only need to worry about getting private or local or experimental ones.) ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
