On Tue, Sep 09, 2014 at 04:42:53AM -0700, Liz Fall wrote:
> Thanks for the info. I will try what you suggested today. However, I am a
> bit confused by what you are saying - You may need to separately specify a
> CAfile, or CApath for validating the server certificate. I have the two pem
> files below.
Most applications that use TLS do not employ client certificates.
In such applications the server typically has a certificate chain
file (containing its certificate and those of issuing CAs ordered
from leaf to optional root) and a private key file (which may be
the same as the chain file, since PEM can store multiple objects
of various types in a single file).
The client typically has no certificate chain file or private key,
rather it needs to be able to verify the server certificate. Thus
it needs to specify the location (or employ the system default) of
the file or directory holding trusted issuer certificates.
> I thought the
> DTCD9C3B2F42757.ent.wfb.bank.corp_mongo_server.pem file resided on the
> MongoDB database server and I was supposed to connect from my C++ app with
> the DTCD9C3B2F42757.ent.wfb.bank.corp_mongo_wells.pem file.
Or perhaps you're supposed to simply append the intermediate CA
certs in the second to the leaf server certificate in the first,
and employ the result (with a suitable private key) on the server
side.
Only the client side, you'll need just the root CA cert in the
default system location (see docs for c_rehash) or explicitly
loaded by the client as a "CAfile".
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
