https://www.openssl.org/docs/ssl/SSL_load_client_CA_file.html
Load names of CAs from file and use it as a client CA list:
SSL_CTX *ctx;
STACK_OF(X509_NAME) *cert_names;
...
cert_names = SSL_load_client_CA_file("/path/to/CAfile.pem");
if (cert_names != NULL)
SSL_CTX_set_client_CA_list(ctx, cert_names);
else
error_handling();
The PKI used for a server certificate is not the same as the one used for
client certficates.
- a server has a certificate (issued by whatever PKI)
- a server can request that a client presents a certificate
in order to do so, the protocol requires to send a list
of issuers (of client certificats). There is no relation
between client certs and the server cert.
On 06/13/2014 12:15 PM, nicolas....@free.fr wrote:
Hi,
the fact is a server can only send a single certificate, however this one can
be signed by multiple CAs
on the other side, a client have (in general) a list of trusted CAs, not a
single one
so there are two options :
- either each client knows the two CAs, then the server can send a certificate
signed by any of them
- or each client knows only about its own CA, then the server must send a
certificate signed by both CAs
(note that this is symmetrical, the server verify client certificate the same
way)
I've never heard about a server with multiple certificates, at least not with
SSL/TLS protocols...
concerning the list of trusted CAs sent by the server to the client, it comes
from the fact that a client can have multiple certificates, for different
servers that can use their own CA
so it allows a client to choose the good certificate to send to a specific
server
concerning the server, if it's in public access it uses a certificate issued by a
"well-known" CA (for example one included in your browser)
if it's "private", it can use its own CA or even a self-signed certificate, and
the client has to recover the trusted certificates by itself (this happens the first time
you connect to a SSH server for which you have no certificate, or on some websites)
hope I made it clear
good luck!
----- Mail d'origine -----
De: Hafedh TRIMECHE <hafedh.trime...@gmail.com>
À: openssl-users@openssl.org
Envoyé: Fri, 13 Jun 2014 10:22:46 +0200 (CEST)
Objet: Re: Re : Re: Re : Re: 2 Server certificates
Hi Nicolas,
pit-ca issued another certificate to a client wanting to connect to the same
server identified by secure.payerspot.com.
I'm looking for a solution allowing two clients to connect to the same
server using certificates issued by different CAs.
In this case the client forces the server verification by requesting its
certificate.
So the two server certificates must be sent to each client .
Cetificate chain1 (issued by CA1)
0 s:
i:
----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Cetificate chain2 (issued by CA2)
0 s:
i:
----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Can two certificates be presented to a client which will identify the
chained certificate to be verified ?
Regards.
--
View this message in context:
http://openssl.6102.n7.nabble.com/2-Server-certificates-tp50872p50937.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
