> From: owner-openssl-users On Behalf Of Martin Hecht > Sent: Friday, November 15, 2013 12:28
> Maybe there are some means to add the certificate to "trusted > certificates", maybe it is sufficient to copy it somewhere, where your > openssl looks for trusted certificates (in Linux it is usually > /etc/ssl/certs/, in Windows I'm not sure, probably some folder below > programs\openssl or so). > But only if your app calls SSL_CTX_default_verify_paths (it's not automatic default for a custom app, as it is for commandline). If you have commandline from the same build (as you should) 'openssl version -d' (or -a) tells you where the the default is. Alternatively you can put the truststore files anywhere you like and call SSL_CTX_set_verify_locations. This can be useful if you want different trust rules for different applications or users, but extra work and opportunity for mistakes if you don't. Or if you don't have the certs in files at all, you can hand-build SSL_CTX_get/set_cert_store , but that's more work. Apparently there will be more extensive APIs in 1.0.2. > If it doesn't work with self-signed certifcates at all, the openssl ca > command would be a simple option to generate a few certificates signed > by the self-signed one. You would put the self-signed certificate into > the trusted certificates folder on the client and the server and use two > other certificates in the API on the client and the server respectively. > OpenSSL relier (client) definitely does support selfsigned cert if it's in the truststore. It is more flexible and often convenient to use one selfsigned root to issue other certs, but it's not necessary. Also a nit: 'ca' is the original and arguably better way to issue child certs, but for some time 'x509 -req' is also capable of doing so with some limitations. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org