Now solved. You iterate round the STACK_OF(X509) and add them one at a time
with
SSL_CTX_add_extra_chain_cert
Tim Ward - Brett Ward Limited - 07801 703 600
www.brettward.co.uk
----- Original Message -----
From: "Tim Ward" <t...@brettward.co.uk>
To: <openssl-users@openssl.org>
Sent: Monday, November 23, 2009 11:11 AM
Subject: SSL_CTX_use_certificate_chain?
How do I get an SSL server to send a certificate chain to a client in the
SSL Certificate message?
The certificate chain is in a PKCS#12 file, which I read with
d2i_PKCS12_fp
and then parse with
PKCS12_parse
giving me a EVP_PKEY (the private key), an X509 (the certificate) and a
STACK_OF(X509) (the remaining certificates in the chain?).
Then I create an SSL_CTX using SSL_CTX_new, and add the certificate and
private key into it using
SSL_CTX_use_certificate
SSL_CTX_use_PrivateKey
If I then create an SSL from this context using SSL_new and use that at
the server end of an SSL connection, it sends a Certificate message to the
client containing the server's certificate only, and not the entire chain
(which is what's needed as the client the other end isn't going to have
any of the intermediate certificates).
This is not surprising, as I've told neither the SSL_CTX nor the SSL where
to find the chain that was returned from PKCS12_parse.
Looking for a way to do this I can find no SSL_CTX_use_certificate_chain
API. There's a SSL_CTX_use_certificate_chain_file, which I'm guessing
would do what I wanted if the certificate chain were on disk in a .pem
file, but it isn't - it's in memory in a STACK_OF(X509).
How do I get the server end of an SSL connection to use the certificate
chain parsed out of a PKCS#12 file using PKCS12_parse? Or have I
completely misunderstood how to use OpenSSL to get the certificate chain
sent?
Tim Ward - Brett Ward Limited - 07801 703 600
www.brettward.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org