Daniel Kahn Gillmor <[email protected]> writes: > On 11/26/2009 09:18 AM, Simon Josefsson wrote: >> The TLS protocol only allow clients to send one X.509 certificate to the >> server. I suspect that if you need to send two client certificates, >> something is wrong with your architecture. > > Laurence may be confused about this, and trying to send two end-entity > certificates, in which case Simon's remarks here are correct. > > But a gnutls client may also offer intermediate certificate authority > certificates (to bridge the gap from the server's announced root CAs to > the client's end-entity certificate). > > In that case, the spec certainly allows the client to inject multiple > certificates in the certificate_list structure, with the (maybe > not-so-clear) intention of giving the server a chained trust path to the > client's own certificate: > > http://tools.ietf.org/html/rfc5246#section-7.4.2 > > Laurence, if this is what you're trying to do, i don't think you want to > call gnutls_certificate_set_x509_key_file twice. What you want to do is > to put the ordered certificates (end-entity cert, followed by successive > CA certs) in file A, and then the private key in a file B (only the > end-entity's private key -- there's no need to have the private key for > any intermediate CA). then call gnutls_certificate_set_x509_key_file > once, pointing to A and B. > > hope this helps clear up confusion.
Thank you, I hope that helps in case Laurence wanted to provide two certs from the same chain to the server. /Simon _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
