On Wed, Jun 03, 2009 at 10:24:47PM +0100, David Woodhouse wrote:
> On Wed, 2009-06-03 at 15:02 -0400, Victor Duchovni wrote:
> > with SSL_CTX_use_certificate_chain_file() the entire trust chain is
> > loaded from the provided file bottom-up order. The first certificate
> > is the leaf and must match the private key provided.
>
> Ah, right. Most files I've encountered have had only the _one_
> certificate. The code path you describe seems to be labelled with
> /* A Thawte special :-) */
Perhaps Thawte were the first to mass-market leaf certs signed by
intermediate CAs, making the need for additional certs to be included
in the trust chain beyond the leaf cert.
> throughout the addition and usage of those extra certs -- is that really
> the way it's _supposed_ to be done?
The SSL_CTX_use_certificate_chain_file() API is a very admin friendly
way to support installation of cert + chain and even key + cert + chain,
as the key can also be stored in the same file (ideally mode 0600 or
passphrase-protected).
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
