> From: owner-openssl-us...@openssl.org On Behalf Of liv2luv > Sent: Tuesday, 19 October, 2010 11:26
> I am new to SSL and Certificates. > > I have generated a CSR and certificate for signing. In return > I've got three > certificates. > > a. Root CA's certificate > b. Intermediate Certificate > c. Server certificate > > After some searching, understand I need to combine them in > the sequence as > server, intermediate and root certificate. > Probably not. For an OpenSSL server, you do need entity + intermediate as below, unless the/each client has the intermediate as trusted (which is sometimes possible). It rarely makes sense to transmit a root in protocol, since the peer must have it already to trust it. > After that I converted the PEM format to DER to see the > certificate. It is > only showing the top certificate (server certificate) in this case. > OpenSSL x509 can look at a certificate file in either DER or PEM with exactly the same capabilities. If you mean you had multiple certs (e.g. the chain) in one file in PEM format and did openssl x509 -inform pem -outform der that only converts the first cert found, just like openssl x509 -inform pem -text -noout only displays the first cert. To process with the commandline utility like this you must put each cert in a separate file. As to recombining later, see below. > How can the certificate chain be created in a single file? > There is no standard format for just putting multiple certs, or anything else, in DER format into a file. In a few places OpenSSL accepts multiple certs in PEM format in a file. SSL_CTX_load_verify_locations (CAfile), used by -CAfile in several utilities, takes certs (and CRLs if used) in PEM format in one file. SSL_CTX_use_certificate_chain_file takes entity cert plus chain (excluding root, which as above is not needed) in PEM format, and thus should be what you need. This concatenated PEM format is not a standard as far as I know, although I believe some others have adopted OpenSSL's method. Remember that PEM format (here) is actually just DER encoded in base64 plus labels; the "real" data is actually the same. There is a standard ASN.1 structure, PKCS#7 aka Cryptographic Message Syntax or CMS, which can carry multiple certs and/or CRLs in DER (or PEM-ified single DER, as opposed to PEM concatenation) and is fairly commonly used for that purpose. The SSL routines in OpenSSL do not use PKCS#7 directly, although code you write using lower-level libcrypto can, and the commandline utility pkcs7 can display them from which you can capture them into one or more files in PEM format and manipulate further. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
