My guess would be that because it's for client verification, not for general trust determination, that the verification list is separate from the default system ca list. I'd have to look in the code to confirm.
If your Ubuntu box is like my Debian Lenny box, wouldn't all the certs in /etc/ssl/certs/ be compiled/concatenated into /etc/ssl/certs/ca-certificates.crt? That would be your system list. If they aren't already, it would be relatively trivial to run cat /etc/ssl/certs/*.pem > /etc/ssl/certs/ca-certificates.crt as part of the pound init.d or startup script. Joe > -----Original Message----- > From: Rob Moore [mailto:[email protected]] > Sent: Thursday, August 26, 2010 11:31 AM > To: [email protected] > Subject: [Pound Mailing List] Possible to use system certificates for > client cert verification? > > I would like to use the CA certificates installed as part of the OS > (Ubuntu > Linux in this case) to verify client certificates rather than specify a > particular file containing these CA certificates using VerifyList. I've > tried specifying "ClientCert 2 9" without defining VerifyList but > received > an error which I assume is because no VerifyList has been defined. > > I'd thought that the OpenSSL libraries would pick up the system > certificates > by default but perhaps this is not the case? > > Thanks, > > Rob > > > -- > To unsubscribe send an email with subject unsubscribe to > [email protected]. > Please contact [email protected] for questions. -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
