On 10/14/2011 7:14 PM, Hopkins, Nathan wrote:
Hi, what is a trustore please and how could I read one?
A TrustStore is a list of trusted CA certificates, stored in a place where bad people cannot change it against your will. Different crypto libraries use different ways to store their truststore. OpenSSL usually uses one of two truststore formats: 1. A single file which is simply the concatenation of the PEM certificate files of all the trusted certificates. This file is usually called "/etc/ssl/certs/ca-certificates.crt" 2. (More common and more efficient) A directory containing each trusted certificate as its own PEM file with file extension ".pem", plus some numerical symlinks created by the c_rehash program from the openssl library. This directory is usually called "/etc/ssl/certs" In either case, you could manually read the individual .pem files or the individual PEM blocks in ca-certificates.crt and convert them to human-readable form with the command "openssl x509 -in somefile.pem -noout -text". To programmatically use/read truststores in this format, look at the source code for the "openssl verify" command/sample in the openssl source code (file name "apps/verify.c"), pay special attention to the calls to X509_lookup_load_file() (for the ca-certificates.crt file) and X509_lookup_add_dir() (for the /etc/ssl/certs dir). ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
