[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-users
Subject:    Re: Question on certificate chain creation in using SSL_CTX_use_certificate_chain_file
From:       Viktor Dukhovni <openssl-users () dukhovni ! org>
Date:       2014-05-29 20:22:55
Message-ID: 20140529202254.GM27883 () mournblade ! imrryr ! org
[Download RAW message or body]

On Thu, May 29, 2014 at 12:53:06PM -0700, David Li wrote:

> Say, I have a servercert.pem, serverkey.pem and cacert.pem.  When
> using SSL_CTX_use_certificate_chain_file() to load a cert file as the
> second argument, I will have to construct the file like this:
> 
> cat servercert.pem serverkey.pem cacert.pem > server.pem

You don't need to include the key here, if you load the key from
a separate file.  If you do include they key its position can be
anywhere in that list.  If the CA is a self-issued root CA, and
you're using PKIX (not DANE) the CA is also optional.

Also if you include the key, set the umask to 077, to protect the
key.

> and use server.pem in the API.
> 
> My question is why I need to put in the private server key when loading the
> certificates?

You don't.

> What's even more confusing to me is that later on I have to use
> SSL_CTX_use_PrivateKey_file() to load the private key file which again is
> the same as server.pem.

You need to load the key from somewhere, it is often preferrable
to use a single file, so that the key and cert are stored together.
You are free to store them in separate files.

> I might have misunderstood something or these two APIs might have
> internally picked the ones they need and ignore the rest in the file. Maybe
> it's just a convenient way to use a single file for both.

Each function looks at just the pieces of the file it wants.

-- 
	Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majordomo@openssl.org
[prev in list] [next in list] [prev in thread] [next in thread]