Re: Cert order in .pem format

2012-05-21 Thread KThirumal 
Hi Pete,

I tried to load the .p12 certs to the code directly, but it got failed at 
SSL_CTX_use_PrivateKey_file

1. err =  SSL_CTX_use_certificate_chain_file(ctx, KeyFile); 
2. SSL_CTX_set_default_passwd_cb(ctx, passwd); 
3. err = SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM); 
4. SSL_CTX_check_private_key(ctx); 

Can you please help on this ?

**
This message and any files or attachments sent with this message contain 
confidential information and is intended only for the individual named.  If you 
are not the named addressee, you should not disseminate, distribute, copy or 
use any part of this email.  If you have received this message in error, please 
delete it and all copies from your system and notify the sender immediately by 
return Email.

Email transmission cannot be guaranteed to be secure or error-free as 
information can be intercepted, corrupted, lost, destroyed, late, incomplete or 
may contain viruses.  The sender, therefore, does not accept liability for any 
errors or omissions in the contents of this message, which arise as a result of 
email transmission.
**

RE: Cert order in .pem format

2012-05-21 Thread Dave Thompson 
From: owner-openssl-...@openssl.org On Behalf Of kthiru...@inautix.co.in
Sent: Monday, 21 May, 2012 10:31
(-dev and owner- !! dropped)

I tried to load the .p12 certs to the code directly, but it got 
failed at SSL_CTX_use_PrivateKey_file 

1. err =  SSL_CTX_use_certificate_chain_file(ctx, KeyFile); 
2. SSL_CTX_set_default_passwd_cb(ctx, passwd); 
3. err = SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM); 
4. SSL_CTX_check_private_key(ctx); 

_use_PrivateKey_file only handles PKCS8 format.

For PKCS12, you need to use different routines.
For the simple case of just a key  cert/chain, 
it appears you can call d2i_PKCS12_{bio,fp} and PKCS12_parse 
then SSL_[CTX_]use_{PrivateKey,certificate} 
and SSL_CTX_add_extra_chain_cert for each chain cert 
or if you just put the chain certs in the cert_store 
in your SSL_CTX it should find then automatically.

(There are more detailed PKCS12_* routines for other cases.)

Alternatively, use commandline pkcs12 to convert the PKCS12 
to PKCS8-privatekey and (X509-)certificates 
and arrange into files appropriately and use those.


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: Cert order in .pem format

2012-05-18 Thread Peter Sylvester 

On 05/18/2012 06:03 AM, kthiru...@inautix.co.in wrote:

Team,

Had a query in the certs that we load,

The CA's provide our certs in .p12 format, which we need to convert to a .pem and load to SSL 
structure during initialization.

On converting to .pem, it is in the following format, Private Key, CA Certs and 
Domain Certificate.

In our code, we use the below snippet to load keys in in SSL structure,

1. err =  SSL_CTX_use_certificate_chain_file(ctx, KeyFile);
2. SSL_CTX_set_default_passwd_cb(ctx, passwd);
3. err = SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM);
4. SSL_CTX_check_private_key(ctx);

When i use the same order in the key ( Private Key, CA Certs and Domain Certificate ), the above 
fails in step 3.
So we have to rearrange this order to Domain Certificate, Private Key and CA Certs for the above 
snippet to work properly.


We are trying to reduce the effort here, for someone to rearrange this cert 
order.
Can you suggest some other way to convert the certs as expected by the code or change the order of 
our code.

load the P12 file directly in your code