> -----Original Message----- > From: [email protected] [mailto:owner-openssl- > [email protected]] On Behalf Of Jakob Bohm > Sent: Friday, July 13, 2012 5:15 AM > To: [email protected] > Subject: Re: CA Certificates Store > > On 7/13/2012 12:50 AM, John wrote: > > Hello. I have installed OpenSSL-Win64 version 1.0.1c on a 64-bit Win7 > > machine, which I use primarily on my home network. I am wanting to > > user another program now, socat, which is making reference to the CA > > store in some of its commands. As you know, OpenSSL does not, at > least > > in Windows, provide a CA store during installation, and no doubt for > > good reason. Even so, one way or another I need to get one to use, at > > least I need to have the certificates related to the current task at > > hand. > > > > In this case I am connecting to a single website using https and I > > have obtained the separate SSL pem for that site's authentication. > It > > also happens that I do have a CA store, besides the one that Windows > > itself provides, as another program I use, wget, did actually install > > a current one for its use. The problem I have is that the > "cacert.pem" > > that came with wget appears to be a single file comprised of a large > > collection of individual root certificates, but these do not include > > the lower-level one I now need for this server. > > > > Now, it happens that the socat command I need is able optionally to > > make reference to a certificate file in two different ways, as I > > understand the manual: > > > > cafile=<filename> > > Specifies the file with the trusted (root) authority certificates. > The > > file must be in PEM format and should contain one or more > > certificates. The party that checks the authentication of its peer > > trusts only certificates that are in this file. > > > This is the same file format you have in your "wget" repository (note > that this must be an unofficial wget distribution, the common > distributions of wget do not include any CA certs) > > > capath=<dirname> > > Specifies the directory with the trusted (root) certificates. The > > directory must contain certificates in PEM format and their hashes > > (see OpenSSL documentation) > > > This is the "hashed directory" format also used on most UNIX style > openssl installation. The directory needs to contain: > > One text file for each certificate, with any file name (avoid spaces, > try to stick to ASCII). Format is a single "PEM" format CA > certificate, file extension is ".pem". Certificates that are in binary > format can be converted with the command "openssl x509 -inform DER -in > oldfilename.crt -out newfilename.pem" > > A copy of each of these text files with the file name obtained by > running the command "openssl x509 -noout -hash -in > originalcertfile.pem" > followed by a period and a small number (usually 0). If more than one > certificate has the same hash, but are really different (this does > happen!), use a larger number, such as 1 or 2 or ... > > There is a standard unix-only perl script to do this called c_rehash, I > have converted it to a Windows batch file at the end of this mail > > > > > It looks to me like the option for cafile would require that I have > > all the certificates in one file, and the option for capath would > > require that they all be separated. I don't know whether using the > > first option with just this one certificate received from the site > > admin would work sufficiently; but even if it did, I would be back in > > the same boat the next time around with a different site. I need to > > have a way of combining certificates and adding to the collection in > > the future. Alternatively, I would need a way of separating these > > certificates I already have and put them into the proper format along > > with their hashes. I have to believe that these two things can be > > done, but I do not see the instructions for doings so. Can anyone > > provide a pointer or aim me to the right set of instructions? Thanks. > > > Below is the rewritten c_rehash program. > > Put all the trusted CA certificates and their CRLs in a directory > called "input" and then run this batch file, it will create a new > directory named "certs" with the standard contents. > The certificates must already be in "PEM" format, otherwise the > combined ca-certificates.crt bundle will be wrong. > Avoid file names with spaces or equal signs in them. > > ---- c_rehash bat begins here ---- > @echo off > REM Copyright (C) 2012,2012 WiseMo A/S. All Rights Reserved. > REM Licensed under the OpenSSL license, no part of this file is from > eay or tjw REM Windows batch rewrite of c_rehash perl script REM > version 0.1, tested with OpenSSL 1.0.x if exist certs rd /s /q certs if > exist certs goto FAIL md certs if not exist certs goto FAIL if exist > input\*.cer copy input\*.cer certs\*.pem if exist input\*.crt copy > input\*.crt certs\*.pem /Y if exist input\*.pem copy input\*.pem > certs\*.pem /Y if exist certs\ca-certificates.pem del certs\ca- > certificates.pem if not exist certs\*.pem goto FAIL if exist > input\*.crl copy input\*.crl certs\ for %%A in (certs\*.pem) do call > :HASHX509 %%A for %%A in (certs\*.crl) do call :HASHCRL %%A copy > certs\*.pem certs\ca-certificates.crt >NUL goto DONE > > :HASHX509 > set HASH= > ( for %%B in (pem der) do for /F %%C in ('openssl x509 -noout -hash - > inform %%B -in %1') do if not "%%C"=="" set HASH=%%C. > ) 2>NUL > goto HASHCMN > > :HASHCRL > set HASH= > ( for %%B in (pem der) do for /F %%C in ('openssl crl -noout -hash - > inform %%B -in %1') do if not "%%C"=="" set HASH=%%C.r > ) 2>NUL > goto HASHCMN > > :HASHCMN > if "%HASH%"=="" goto BADFILE > set NUM=bad > for /L %%B in (10,-1,0) do if not exist "certs\%HASH%%%B" set NUM=%%B > if "%NUM%"=="bad" for /L %%B in (100,-1,0) do if not exist > "certs\%HASH%%%B" set NUM=%%B if "%NUM%"=="bad" for /L %%B in (999,- > 1,0) do if not exist "certs\%HASH%%%B" set NUM=%%B if "%NUM%"=="bad" > goto TOOMANY copy %1 certs\%HASH%%NUM% >NUL if not exist > certs\%HASH%%NUM% goto HASHFAIL set HASH= goto DONE > > :BADFILE > echo Warning: %1 is not a valid file > goto DONE > :TOOMANY > echo Error: more than 1000 CAs with hash %HASH%, skipping %1 set HASH= > goto DONE :HASHFAIL echo Error creating hashed copy of %1 as > %HASH%%NUM% set HASH= goto DONE > > :DONE > ---- c_rehash bat ends here ---- > > Enjoy
Jakob, hello. I do appreciate your help. It is going to take a little while for me to digest what you have provided. Meanwhile, I want to share the link for this wget, which appears to be "official" as far as I can see: http://sourceforge.net/projects/getgnuwin32/files/getgnuwin32/test%20builds/ "wget-1.13.4.56-620c__mingw__05-23-12" ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
