Thanks for your thorough answer. -- Sent from my mobile phone. Please excuse my brevity.
Charles Dave Thompson <dthomp...@prinpay.com> wrote: > From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills > Sent: Tuesday, 21 August, 2012 14:41 > The O'Reilly OpenSSL book - in some examples but not others - > cat's the > certificate and key together and then just uses that one file as both > certificate_chain_file and PrivateKey_file. > > cat servercert.pem serverkey.pem > server.pem > If you have a nontrivial chain (not selfsigned nor directly under a root) you may want the chain/intermediate certs in this file also. If they're not in the cert_chain file but are in the truststore (either CAfile or CAdir) OpenSSL will use the truststore -- but as you say, keeping them together is often convenient. > Is that okay? It does seem more convenient to only have one > file to keep > track of. Am I correct in assuming that OpenSSL is smart > enough to send the > certificate down the wire but not the key? > Yes. The protocol logic is separated from the file(s) anyway. SSL[_CTX]_use_certificate[_chain]* reads from a file *or* memory, and puts the certificate object(s) in the SSL[_CTX] object in memory. SSL[_CTX]_use_PrivateKey* reads from a file *or* memory and puts the privatekey object in the SSL[_CTX] object in memory. Protocol logic then uses the contents of the SSL object, possibly derived from the SSL_CTX object, to do privatekey operations locally and send cert(s) remotely as needed. It has no clue whether they came from the same file(s). _____________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
