> From: owner-openssl-us...@openssl.org On Behalf Of Dave Mitchell > Sent: Friday, October 04, 2013 17:59
> I'm writing an openssl-based app that uses client and sever certs, > generated using a private root CA. Each client has its own cert and > private key. > > For ease of deployment, I'm combining the private key and public cert > into a single file, i.e.: > > $ cat client.key client.crt > client.privcrt > > Then in the client app, doing: > > SSL_CTX_use_certificate_chain_file(ctx, "client.privcrt"); > SSL_CTX_use_PrivateKey_file(ctx, "client.privcrt", SSL_FILETYPE_PEM))); > > My questions are: > > 1) is this a reasonable thing to do? Yes. Assuming either the privkey is unencrypted (as you are doing below) or you have set up a password callback. If unencrypted, make sure the files on every system (including yours) are protected against unauthorized reads and if they are copied e.g. by a full backup those copies are secured, and transmission of the files for 'deployment' is also secure. The process you show below will never create a nontrivial chain, only a single cert under an (implicit) root, so you could call _use_certificate_file instead of _use_certificate_chain_file . But coding _chain gives you the option to substitute a real chain later if needed without code change (&test&deploy), which is good. You don't say why you chose to generate keys centrally. In case you didn't know, even with your own CA you *can* still use the conventional process of generate key+CSR on user system, send CSR to CA, CA issues cert, send cert back to user system, use. That avoids some possible exposures but not all. > 2) if so, is there a standard suffix for the file, rather than .privcrt > which I chose at random? Since concatenating in one file only works for PEM format I usually use that. Other obvious ideas would be 'identity' or 'credential' or similar. But I have no problem with privcrt, or keycrt might be a little clearer to nonexperts. There is also the possibility of using a (single) PKCS#12 file for key+cert (and name it .p12). That offers interoperability with other software, FWIW. But it's different and a bit more complicated code to use it. > 3) Is there any way to generate this file officially? Catting the two > files together seems like a hack. I'm generating the two files using: > > $ openssl genrsa -out client.key 4096 > $ openssl req -new -key client.key -out client.csr > .... > > $ openssl x509 -req -days NNNN -in client.csr \ > -CA rootca.crt -CAkey rootca.key -set_serial 01 -out client.crt > If you have two or more files and want them concatenated, I'd say cat is a fine solution. If anything, it's the extremely frequent use of cat to display *one* file to the terminal, or pipe into something, that was originally a bit of a hack, but now so well established as to be reflex. Given this is all done in one place you could do openssl x509 -req -in client.csr ... >>client.key_renamed I wouldn't call that particularly official, though. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
