> From: owner-openssl-us...@openssl.org On Behalf Of Brice André > Sent: Monday, 27 May, 2013 23:45
> You are right, I am using a self-signed certificate for use by my > server. In fact, I do not perform client authentication in my > application : only the server shall be authentified by ssl. The client > is authentified by another mechanism. > > Here are how I generate my RSA key and my certificate: > > openssl genrsa -des -out server.key 2048 > openssl req -new -key server.key -out server.csr > openssl x509 -req -days 20000 -in server.csr -signkey > server.key -out server.crt > Asides: you could combine those: req -new -newkey rsa:2048 replaces genrsa req -new -x509 replaces x509 -signkey but the way you have it works. Also, 54+ years is a pretty long period! > The only file that I transmit to my client is server.crt. > Good. > I think that all those files are OK because, on the server side, once > everything is initialised, the command SSL_CTX_check_private_key is > happy with it. > > In order to initialise the truststore of my client, I copy the > server.crt file somewhere, and I execute the following command : > > SSL_CTX_use_certificate_file(ctx,path_to_file, SSL_FILETYPE_PEM); > Bad. That attempts to use the cert as the *client's* cert, which has no effect because you didn't give the client the privatekey, and rightly (the client shouldn't have the server's privatekey, and you say you don't want ssl-level client-auth anyway). > Do I have to generate another file ? Or do I have to perform another > configuration in my client ? > There are two "standard" ways to set up a truststore for openssl lib, in your case the client's truststore to trust the server. SSL_CTX_load_verify_locations (ctx, fileornull, pathornull) tells openssl to use the (selfsigned root and/or EE) certs concatenated in one PEM file named by fileornull if not null, and/or stored in individual PEM files using the subjecthash for link or name in directory pathornull if not null. SSL_CTX_set_default_verify_paths (ctx) does something similar but using environment-variable settings or compiled default values for the file and/or path, usually "systemwide" places (for all apps on the system) something like /etc/openssl/cert.pem and /etc/openssl/certdir . Most of the commandline utilities allow you to specify -CAfile and/or -CApath for the first way, or default to the second way. Since you have one cert in one PEM file, the fileornull (CAfile) approach is simplest. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
