https://www.openssl.org/docs/ssl/SSL_load_client_CA_file.html Load names of CAs from file and use it as a client CA list: SSL_CTX *ctx; STACK_OF(X509_NAME) *cert_names; ... cert_names = SSL_load_client_CA_file("/path/to/CAfile.pem"); if (cert_names != NULL) SSL_CTX_set_client_CA_list(ctx, cert_names); else error_handling(); The PKI used for a server certificate is not the same as the one used for client certficates. - a server has a certificate (issued by whatever PKI) - a server can request that a client presents a certificate in order to do so, the protocol requires to send a list of issuers (of client certificats). There is no relation between client certs and the server cert. On 06/13/2014 12:15 PM, nicolas....@free.fr wrote:
Hi, the fact is a server can only send a single certificate, however this one can be signed by multiple CAs on the other side, a client have (in general) a list of trusted CAs, not a single one so there are two options : - either each client knows the two CAs, then the server can send a certificate signed by any of them - or each client knows only about its own CA, then the server must send a certificate signed by both CAs (note that this is symmetrical, the server verify client certificate the same way) I've never heard about a server with multiple certificates, at least not with SSL/TLS protocols... concerning the list of trusted CAs sent by the server to the client, it comes from the fact that a client can have multiple certificates, for different servers that can use their own CA so it allows a client to choose the good certificate to send to a specific server concerning the server, if it's in public access it uses a certificate issued by a "well-known" CA (for example one included in your browser) if it's "private", it can use its own CA or even a self-signed certificate, and the client has to recover the trusted certificates by itself (this happens the first time you connect to a SSH server for which you have no certificate, or on some websites) hope I made it clear good luck! ----- Mail d'origine ----- De: Hafedh TRIMECHE <hafedh.trime...@gmail.com> À: openssl-users@openssl.org Envoyé: Fri, 13 Jun 2014 10:22:46 +0200 (CEST) Objet: Re: Re : Re: Re : Re: 2 Server certificates Hi Nicolas, pit-ca issued another certificate to a client wanting to connect to the same server identified by secure.payerspot.com. I'm looking for a solution allowing two clients to connect to the same server using certificates issued by different CAs. In this case the client forces the server verification by requesting its certificate. So the two server certificates must be sent to each client . Cetificate chain1 (issued by CA1) 0 s: i: ----BEGIN CERTIFICATE----- -----END CERTIFICATE----- Cetificate chain2 (issued by CA2) 0 s: i: ----BEGIN CERTIFICATE----- -----END CERTIFICATE----- Can two certificates be presented to a client which will identify the chained certificate to be verified ? Regards. -- View this message in context: http://openssl.6102.n7.nabble.com/2-Server-certificates-tp50872p50937.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org