Re: Cert order in .pem format
Hi Pete, I tried to load the .p12 certs to the code directly, but it got failed at SSL_CTX_use_PrivateKey_file 1. err = SSL_CTX_use_certificate_chain_file(ctx, KeyFile); 2. SSL_CTX_set_default_passwd_cb(ctx, passwd); 3. err = SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM); 4. SSL_CTX_check_private_key(ctx); Can you please help on this ? ** This message and any files or attachments sent with this message contain confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute, copy or use any part of this email. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return Email. Email transmission cannot be guaranteed to be secure or error-free as information can be intercepted, corrupted, lost, destroyed, late, incomplete or may contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this message, which arise as a result of email transmission. **
RE: Cert order in .pem format
From: owner-openssl-...@openssl.org On Behalf Of kthiru...@inautix.co.in Sent: Monday, 21 May, 2012 10:31 (-dev and owner- !! dropped) I tried to load the .p12 certs to the code directly, but it got failed at SSL_CTX_use_PrivateKey_file 1. err = SSL_CTX_use_certificate_chain_file(ctx, KeyFile); 2. SSL_CTX_set_default_passwd_cb(ctx, passwd); 3. err = SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM); 4. SSL_CTX_check_private_key(ctx); _use_PrivateKey_file only handles PKCS8 format. For PKCS12, you need to use different routines. For the simple case of just a key cert/chain, it appears you can call d2i_PKCS12_{bio,fp} and PKCS12_parse then SSL_[CTX_]use_{PrivateKey,certificate} and SSL_CTX_add_extra_chain_cert for each chain cert or if you just put the chain certs in the cert_store in your SSL_CTX it should find then automatically. (There are more detailed PKCS12_* routines for other cases.) Alternatively, use commandline pkcs12 to convert the PKCS12 to PKCS8-privatekey and (X509-)certificates and arrange into files appropriately and use those. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Cert order in .pem format
On 05/18/2012 06:03 AM, kthiru...@inautix.co.in wrote: Team, Had a query in the certs that we load, The CA's provide our certs in .p12 format, which we need to convert to a .pem and load to SSL structure during initialization. On converting to .pem, it is in the following format, Private Key, CA Certs and Domain Certificate. In our code, we use the below snippet to load keys in in SSL structure, 1. err = SSL_CTX_use_certificate_chain_file(ctx, KeyFile); 2. SSL_CTX_set_default_passwd_cb(ctx, passwd); 3. err = SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM); 4. SSL_CTX_check_private_key(ctx); When i use the same order in the key ( Private Key, CA Certs and Domain Certificate ), the above fails in step 3. So we have to rearrange this order to Domain Certificate, Private Key and CA Certs for the above snippet to work properly. We are trying to reduce the effort here, for someone to rearrange this cert order. Can you suggest some other way to convert the certs as expected by the code or change the order of our code. load the P12 file directly in your code