Hi All:
I have a question on Certifiate formats and functions used to load
certificate files into CTX object.
As per the documents:
SSL_CTX_use_certificate_chain_file () loads a certificate chain from
file into ctx. The certificates must be in PEM format and must be sorted
starting with the subject's certificate (actual client or server
certificate), followed by intermediate CA certificates if applicable,
and ending at the highest level (root) CA. There is no corresponding
function working on a single SSL object.
SSL_CTX_use_certificate_file () loads the first certificate stored in
file into ctx. The formatting type of the certificate must be specified
from the known types SSL_FILETYPE_PEM, SSL_FILETYPE_ASN1.
Also,a file may contain only a single DER-encoded object, but can
contain many PEM objects. As such one cannot use
SSL_CTX_use_certificate_chain_file () for DER certificates. I had a
chain of PEM encoded certificate, server.pem. Then I converted it to DER
certificate server.der using the OpenSSL commnad line .
I was able to load the server.der into SSL_CTX_use_certificate_file () .
And the CA certificate loaded into my client application in PEM format
using SSL_CTX_load_verify_locations () was able to verify the
server.der in SSL handshake.
My doubt: whether what I did is right? Is it OK to use a DER
certificates created from the chain of PEM certs. The PEM CA certs are
still capable of verifying the incoming DER certs? Basically I am not
clear on the statement "a file may contain only a single DER-encoded
object, but can contain many PEM objects".
Thanks and Regards,
Prabhu. S
