Thank you for a detailed reply Dave. > There is a standard ASN.1 structure, PKCS#7 aka Cryptographic > Message Syntax or CMS, which can carry multiple certs and/or CRLs > in DER (or PEM-ified single DER, as opposed to PEM concatenation) > and is fairly commonly used for that purpose.
This makes me understand PKCS#7 or PKCS#12 can take several certificates and key in PEM format into a single file. When packaging server, intermediate and key into a single file is there a sequence to do that ? Also, please correct me if my understanding is correct. Thanks. On Tue, Oct 19, 2010 at 8:40 PM, Dave Thompson <dthomp...@prinpay.com> wrote: > > > From: owner-openssl-us...@openssl.org On Behalf Of liv2luv > > Sent: Tuesday, 19 October, 2010 11:26 > > > I am new to SSL and Certificates. > > > > I have generated a CSR and certificate for signing. In return > > I've got three > > certificates. > > > > a. Root CA's certificate > > b. Intermediate Certificate > > c. Server certificate > > > > After some searching, understand I need to combine them in > > the sequence as > > server, intermediate and root certificate. > > > Probably not. For an OpenSSL server, you do need entity + > intermediate as below, unless the/each client has the > intermediate as trusted (which is sometimes possible). > > It rarely makes sense to transmit a root in protocol, > since the peer must have it already to trust it. > > > After that I converted the PEM format to DER to see the > > certificate. It is > > only showing the top certificate (server certificate) in this case. > > > OpenSSL x509 can look at a certificate file in either DER or PEM > with exactly the same capabilities. If you mean you had multiple > certs (e.g. the chain) in one file in PEM format and did > openssl x509 -inform pem -outform der > that only converts the first cert found, just like > openssl x509 -inform pem -text -noout > only displays the first cert. To process with the commandline > utility like this you must put each cert in a separate file. > As to recombining later, see below. > > > > How can the certificate chain be created in a single file? > > > There is no standard format for just putting multiple certs, > or anything else, in DER format into a file. > > In a few places OpenSSL accepts multiple certs in PEM format > in a file. SSL_CTX_load_verify_locations (CAfile), used by > -CAfile in several utilities, takes certs (and CRLs if used) > in PEM format in one file. SSL_CTX_use_certificate_chain_file > takes entity cert plus chain (excluding root, which as above is > not needed) in PEM format, and thus should be what you need. > > This concatenated PEM format is not a standard as far as I know, > although I believe some others have adopted OpenSSL's method. > Remember that PEM format (here) is actually just DER encoded > in base64 plus labels; the "real" data is actually the same. > > There is a standard ASN.1 structure, PKCS#7 aka Cryptographic > Message Syntax or CMS, which can carry multiple certs and/or CRLs > in DER (or PEM-ified single DER, as opposed to PEM concatenation) > and is fairly commonly used for that purpose. The SSL routines > in OpenSSL do not use PKCS#7 directly, although code you write > using lower-level libcrypto can, and the commandline utility > pkcs7 can display them from which you can capture them into > one or more files in PEM format and manipulate further. > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org -- Suresh ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
