On Wed, Jan 30, 2008 at 09:57:27AM +1300, Chris Pugmire wrote:
> I have a server application using openssl, and I have a server
> certificate which is chained to a root CA via intermediate certificates
>
> If I load the chained certificates onto the clients, all works well, but
> then I have to do this on every client.
>
> I feel sure there is some trivial way to load the chain at the server
> end, but can't seem to find how to do it, can someone point out the
> answer ?
>
> I have tried simply appending the chained certificates to the server(s)
> normal certificate file but that didn't work. Do I need to use a
> special call in ssl to load a file that contains these extra
> certificates that should be passed to the client ?
>
The solution depends on how the server loads its certificates. If the
server is using:
SSL_CTX_use_certificate_chain_file()
to load a PEM file containing its cert and issuing CA certs (in the
right order with the server cert first and root cert last), then provided
clients trust the root cert, everything should work.
If the server is using:
SSL_CTX_use_certificate_file()
then it must add the CA certs separately via SSL_CTX_add_extra_chain_cert().
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
