[prev in list] [next in list] [prev in thread] [next in thread]
List: openssl-users
Subject: Re: SSL_CTX_use_certificate_chain?
From: "Tim Ward" <tim () brettward ! co ! uk>
Date: 2009-11-23 14:14:26
Message-ID: 03B4795ED0E04BC78E3F2F81A4CA8F94 () brettward ! local
[Download RAW message or body]
Now solved. You iterate round the STACK_OF(X509) and add them one at a time
with
SSL_CTX_add_extra_chain_cert
Tim Ward - Brett Ward Limited - 07801 703 600
www.brettward.co.uk
----- Original Message -----
From: "Tim Ward" <tim@brettward.co.uk>
To: <openssl-users@openssl.org>
Sent: Monday, November 23, 2009 11:11 AM
Subject: SSL_CTX_use_certificate_chain?
> How do I get an SSL server to send a certificate chain to a client in the
> SSL Certificate message?
>
> The certificate chain is in a PKCS#12 file, which I read with
>
> d2i_PKCS12_fp
>
> and then parse with
>
> PKCS12_parse
>
> giving me a EVP_PKEY (the private key), an X509 (the certificate) and a
> STACK_OF(X509) (the remaining certificates in the chain?).
>
> Then I create an SSL_CTX using SSL_CTX_new, and add the certificate and
> private key into it using
>
> SSL_CTX_use_certificate
> SSL_CTX_use_PrivateKey
>
> If I then create an SSL from this context using SSL_new and use that at
> the server end of an SSL connection, it sends a Certificate message to the
> client containing the server's certificate only, and not the entire chain
> (which is what's needed as the client the other end isn't going to have
> any of the intermediate certificates).
>
> This is not surprising, as I've told neither the SSL_CTX nor the SSL where
> to find the chain that was returned from PKCS12_parse.
>
> Looking for a way to do this I can find no SSL_CTX_use_certificate_chain
> API. There's a SSL_CTX_use_certificate_chain_file, which I'm guessing
> would do what I wanted if the certificate chain were on disk in a .pem
> file, but it isn't - it's in memory in a STACK_OF(X509).
>
> How do I get the server end of an SSL connection to use the certificate
> chain parsed out of a PKCS#12 file using PKCS12_parse? Or have I
> completely misunderstood how to use OpenSSL to get the certificate chain
> sent?
>
> Tim Ward - Brett Ward Limited - 07801 703 600
> www.brettward.co.uk
>
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majordomo@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic