On Tue, 16 Sep 2003, Dann Daggett wrote: > I understand. Are there options on how the chain is presented? > In particular, is it always presented as a single (combined) > response to the client, or can/does the client make a second > request for the next cert up the chain if it finds it does not > yet trust the last cert presented?
It is always presented chained to the certificate of the server, part of the server hello packet. > So I take it the simple "cat" command would do to create the > chain file, right? Yes > I suppose that means the application may or may not require > the certs in the chain file to be in any particular order, > and, one application (i.e. Apache) might even require the > file constructed differently than another app (say Sendmail)? If they want a certificate chain then they will most likely all use the same format. However, not all applications know to load certificate chains. All should know to load a directory or file of trusted CA certificates however, and this should also make OpenSSL build the certificate chain where needed. > That's interesting. So it sounds as though each app must be told > where the certs are and it's NOT something that the OpenSSL lib > inherhently knows? Depends. OpenSSL also have default directories where it looks for CA certificates if the application asks it to use the default CA certificates in addition to any CA certificates provided by the application when verifying the validity of certificates. The application however must tell which certificate and key the application wants to use. > But what about the references I've read that require the > creation of hashed links to the individual certs in a directory? > Who, and/or what, uses that data then? Is that application > dependent as well? Up to the application if it is application dependent or not. OpenSSL can read CA certificates in three manners a) Hashed directory b) Linear file c) Part of certificate chain 'a' and 'b' can exists both as 'default directories' and as application provided. If the application does not say anything no CA certificates is loaded. Maybe it also has built-in CA certificates, I do not know. How it determines the 'default directories' to use I do not know, but there is a SSL_CTX_set_default_verify_paths() call which supposedly sets them up. Always safest to have the application specify the location of trusted CA certificates. Regards Henrik ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
