On Tue, Sep 05, 2000 at 04:28:26PM -0400, [EMAIL PROTECTED] wrote:
>
> thanks a lot.
>
> but how to sends the certificate of the CA that issued the client
> certificate together with the client certificate.
> and I allready used the SSL_CTX_use_certificate_chain_file(ctx,CERTF);
> I used the s_client to connect to my serevr like:
> OpenSSL> s_client -connect myserver:port -key \bamboo.pem -cert \bamboo.pem
s_client does not use the certificate_chain_file() function.
The difference is:
- ..._use_certificate_chain_file() will read the client certificate as first
certificate, then the CA certificate(s) from the same "bamboo.pem".
I remember vaguely that there is a problem when the key is in the same
file, but it is too late to check out :-)
- ..._use_certificate_file() will only read the client certificate.
In this case you must add the CA certificate(s) to the cacert.pem and use
-CAfile cacert.pem. s_client will then collect the necessary additional
CA certificates automatically. (Of course, your filenames can vary.)
[*]
- In any case, the same CA certificates must be available at the server
side. If you use s_server, you must also make them available via the
-CAfile directive (or -CApath).
[*] There is a significant difference in that a CA that is used via the
...chain_file() function does not become trusted, while adding it
via the CA options it becomes trusted as a side effect. (Whether this
hurts you or not depends on your application.)
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
