Hello. I have installed OpenSSL-Win64 version 1.0.1c on a 64-bit Win7
machine, which I use primarily on my home network. I am wanting to user
another program now, socat, which is making reference to the CA store in
some of its commands. As you know, OpenSSL does not, at least in Windows,
provide a CA store during installation, and no doubt for good reason. Even
so, one way or another I need to get one to use, at least I need to have the
certificates related to the current task at hand.
In this case I am connecting to a single website using https and I have
obtained the separate SSL pem for that site's authentication. It also
happens that I do have a CA store, besides the one that Windows itself
provides, as another program I use, wget, did actually install a current one
for its use. The problem I have is that the "cacert.pem" that came with wget
appears to be a single file comprised of a large collection of individual
root certificates, but these do not include the lower-level one I now need
for this server.
Now, it happens that the socat command I need is able optionally to make
reference to a certificate file in two different ways, as I understand the
manual:
cafile=<filename>
Specifies the file with the trusted (root) authority certificates. The file
must be in PEM format and should contain one or more certificates. The party
that checks the authentication of its peer trusts only certificates that are
in this file.
capath=<dirname>
Specifies the directory with the trusted (root) certificates. The directory
must contain certificates in PEM format and their hashes (see OpenSSL
documentation)
It looks to me like the option for cafile would require that I have all the
certificates in one file, and the option for capath would require that they
all be separated. I don't know whether using the first option with just
this one certificate received from the site admin would work sufficiently;
but even if it did, I would be back in the same boat the next time around
with a different site. I need to have a way of combining certificates and
adding to the collection in the future. Alternatively, I would need a way of
separating these certificates I already have and put them into the proper
format along with their hashes. I have to believe that these two things can
be done, but I do not see the instructions for doings so. Can anyone provide
a pointer or aim me to the right set of instructions? Thanks.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
