On 11/18/2011 04:01 PM, Rebel Neurofog wrote: > Yet I still don't understand how client certificate is distinguished > from server certificate > (at least in non-www cases where no "tls_www_client" and > "tls_www_server" entries are used in templates) > Say, the CA signed a server certificate. If server certificate have > authority to sign certificate then the server > can sign client certificates. But why then client certificates can't > be used as server?
Welcome to the X.509 world. Certificates are being distinguished by the extensions they are tagged with. I.e. you can tag the certificate as a CA or not (using X.509v3 extensions). If you don't use the tls_www_server then the only way to distinguish server from client certificates are the text fields of the distinguished name. > And also which trust file have to be used by > 'gnutls_certificate_set_x509_trust_file ()' on client side > and which one on server? There they put the CA the trust to verify their peers. If it is a common one they put the common one. regards, Nikos _______________________________________________ Help-gnutls mailing list [email protected] https://lists.gnu.org/mailman/listinfo/help-gnutls
