> From: owner-openssl-users On Behalf Of Martin Hecht
> Sent: Friday, November 15, 2013 12:28

> Maybe there are some means to add the certificate to "trusted
> certificates", maybe it is sufficient  to copy it somewhere, where your
> openssl looks for trusted certificates (in Linux it is usually
> /etc/ssl/certs/, in Windows I'm not sure, probably some folder below
> programs\openssl or so).
> 
But only if your app calls SSL_CTX_default_verify_paths (it's not 
automatic default for a custom app, as it is for commandline).
If you have commandline from the same build (as you should) 
'openssl version -d' (or -a) tells you where the the default is.

Alternatively you can put the truststore files anywhere you like 
and call SSL_CTX_set_verify_locations. This can be useful if you 
want different trust rules for different applications or users, 
but extra work and opportunity for mistakes if you don't.
Or if you don't have the certs in files at all, you can hand-build 
SSL_CTX_get/set_cert_store , but that's more work.
Apparently there will be more extensive APIs in 1.0.2.

> If it doesn't work with self-signed certifcates at all, the openssl ca
> command would be a simple option to generate a few certificates signed
> by the self-signed one. You would put the self-signed certificate into
> the trusted certificates folder on the client and the server and use two
> other certificates in the API on the client and the server respectively.
> 
OpenSSL relier (client) definitely does support selfsigned cert if it's in
the 
truststore. It is more flexible and often convenient to use one selfsigned 
root to issue other certs, but it's not necessary. Also a nit: 'ca' is the
original 
and arguably better way to issue child certs, but for some time 'x509 -req'
is also capable of doing so with some limitations.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to