How do I get an SSL server to send a certificate chain to a client in the
SSL Certificate message?
The certificate chain is in a PKCS#12 file, which I read with
d2i_PKCS12_fp
and then parse with
PKCS12_parse
giving me a EVP_PKEY (the private key), an X509 (the certificate) and a
STACK_OF(X509) (the remaining certificates in the chain?).
Then I create an SSL_CTX using SSL_CTX_new, and add the certificate and
private key into it using
SSL_CTX_use_certificate
SSL_CTX_use_PrivateKey
If I then create an SSL from this context using SSL_new and use that at the
server end of an SSL connection, it sends a Certificate message to the
client containing the server's certificate only, and not the entire chain
(which is what's needed as the client the other end isn't going to have any
of the intermediate certificates).
This is not surprising, as I've told neither the SSL_CTX nor the SSL where
to find the chain that was returned from PKCS12_parse.
Looking for a way to do this I can find no SSL_CTX_use_certificate_chain
API. There's a SSL_CTX_use_certificate_chain_file, which I'm guessing would
do what I wanted if the certificate chain were on disk in a .pem file, but
it isn't - it's in memory in a STACK_OF(X509).
How do I get the server end of an SSL connection to use the certificate
chain parsed out of a PKCS#12 file using PKCS12_parse? Or have I completely
misunderstood how to use OpenSSL to get the certificate chain sent?
Tim Ward - Brett Ward Limited - 07801 703 600
www.brettward.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org