On Tue, 16 Sep 2003, Dann Daggett wrote: > Now, when an outsider connects to my secure server, my server > should present that client with a certificate right? Which > certificate does it present? The server's cert, or the CA's?
The servers. > Or does it need to present both? It does not hurt to present both, but is not strictly required if the client already trusts your CA. If the certificate is issues by a second level CA and the client trusts the higher level CA who issued the certificate for the second level CA then you must present the CA chain or else the client will not be able to verify the certificate as there is no direct chain of trust from the certificate to the trusted root CA. > I've seen references to > the practice of concatenating the two together and I now > assume this is what might be referred to as a "chain file"? Yes. > But I'm not clear on "how" to concat the two or what in > what order? Is it as simple as > "cat x1.pem cacert.pem > chainfile.crt" > And if so, should it be only the ---BEGIN CERT -- to ---END > CERT--- data, not all of the rest of the text, or can it > include the human readable text as well? As long as it contains the ---BEGIN CERT... blocks openssl applications with support for loading certificate chain files should be be fine. Any content outside these blocks are ignored by OpenSSL. See the documentation for the server application you are using in how certificate chains should be presented to the application. If you are writing your own application then you need to load the certificate chain in the application. There is at least two different methods a) Prepare the chain in the certificate file, and load it when loading the certificate: SSL_CTX_use_certificate_chain_file b) Set up trust to the CAs who issued your certificate before loading the certificate SSL_CTX_load_verify_locations Several other variants are possible. > Also, what's the difference between the /certs and the /newcerts > directories? Is the /certs where I place the certs that I trust > and the /newcerts only stores the certs I've issued, but don't > need to trust them explicitly (since I trust the issuer)? Not really relevant to running servers.. these are just directories used by the CA.pl script and the demoCA configuration. The certs directory is probably meant to contain already issued and delivered certificates allowing you to keep track of which certificates have been delivered to their use and which are newly issued certificates. The directory is not actually used from what I can tell. Regards Henrik ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
