Garrett D'Amore wrote: > Darren J Moffat wrote: >> Garrett D'Amore wrote: >>> Putting all the certs in one mondo file gives me a few minor >>> concerns, which might be insignificant, but I want to ask them anyway: >>> >>> 1) Do end users have any control over which CAs they do or do not >>> trust? (What if they want all of the CAs except one?) >> >> The end user using the command/tool can point to a separate CA file. >> >> All of the tools I know about can take a single file not all of them >> appear to be able to take a directory of PEM files. > > Ah, that explains this choice. Is there a way (relatively easy for > customers) to extract a single Cert from the PEM file? (Some tool? Or > is the file in some ASCII encoding such that it can just manually be > extracted with an editor?)
PEM is an ASCII encoding the certs them selfs are bounded by: -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- >>> 2) How are CRL handled? >> >> If there is an issue with needing to expire any of these root CAs then >> the way to deal with that is to redeliver the cacert file not to use a >> CRL. CRLs are for a specific CA and it is their responsibility to >> manage those - note that some of them are huge, OCSP is the >> recommended way of checking certificate revocation. > > So the tools are responsible for making this check themselves, using > OCSP, right? That makes sense -- end users don't have to take any > specific action to get the CRL checking. In general they may use OCSP but not on the CA certs files only on the SSL server certs they receive as part of the SSL protocol. The hole point of the CA certs is "the buck stops here". -- Darren J Moffat
