'Re: SSL_CTX_use_certificate_chain?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-users
Subject:    Re: SSL_CTX_use_certificate_chain?
From:       "Tim Ward" <tim () brettward ! co ! uk>
Date:       2009-11-23 14:14:26
Message-ID: 03B4795ED0E04BC78E3F2F81A4CA8F94 () brettward ! local
[Download RAW message or body]

Now solved. You iterate round the STACK_OF(X509) and add them one at a time 
with

SSL_CTX_add_extra_chain_cert

Tim Ward - Brett Ward Limited - 07801 703 600
www.brettward.co.uk
----- Original Message ----- 
From: "Tim Ward" <tim@brettward.co.uk>
To: <openssl-users@openssl.org>
Sent: Monday, November 23, 2009 11:11 AM
Subject: SSL_CTX_use_certificate_chain?


> How do I get an SSL server to send a certificate chain to a client in the 
> SSL Certificate message?
>
> The certificate chain is in a PKCS#12 file, which I read with
>
>    d2i_PKCS12_fp
>
> and then parse with
>
>    PKCS12_parse
>
> giving me a EVP_PKEY (the private key), an X509 (the certificate) and a 
> STACK_OF(X509) (the remaining certificates in the chain?).
>
> Then I create an SSL_CTX using SSL_CTX_new, and add the certificate and 
> private key into it using
>
>    SSL_CTX_use_certificate
>    SSL_CTX_use_PrivateKey
>
> If I then create an SSL from this context using SSL_new and use that at 
> the server end of an SSL connection, it sends a Certificate message to the 
> client containing the server's certificate only, and not the entire chain 
> (which is what's needed as the client the other end isn't going to have 
> any of the intermediate certificates).
>
> This is not surprising, as I've told neither the SSL_CTX nor the SSL where 
> to find the chain that was returned from PKCS12_parse.
>
> Looking for a way to do this I can find no SSL_CTX_use_certificate_chain 
> API. There's a SSL_CTX_use_certificate_chain_file, which I'm guessing 
> would do what I wanted if the certificate chain were on disk in a .pem 
> file, but it isn't - it's in memory in a STACK_OF(X509).
>
> How do I get the server end of an SSL connection to use the certificate 
> chain parsed out of a PKCS#12 file using PKCS12_parse? Or have I 
> completely misunderstood how to use OpenSSL to get the certificate chain 
> sent?
>
> Tim Ward - Brett Ward Limited - 07801 703 600
> www.brettward.co.uk
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@openssl.org
> Automated List Manager                           majordomo@openssl.org 

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majordomo@openssl.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic