On Fri, 17 Feb 2012 12:12:43 -0700 Dave Meetchum <yancy7...@gmail.com> wrote:
> I am trying to use OpenSSL on iOS and Android in conjunction with > libcurl for my applications HTTP interface. From what I understand > OpenSSL does not come with a CA cert which is understandable. Also my > understanding is that if you need a CA cert on the client to verify > the server is who they claim to be. No. The client browser checks the certificate you register with openssl (which is public, but may have a private key); this is done as part of the preliminary negotiation. You do not need to provide the client with its own certificate or do anything other than: 1) create or obtain a certificate. 2) pass ssl the .crt file and the private key, eg. via SSL_CTX_use_certificate_file() and SSL_CTX_use_PrivateKey_file() during initialization of the server. After that you don't need to do anything. You can create your own "self-signed" certificate (these trigger a warning in the client user agent and the user must accept an "untrusted" connection), or obtain one, usually for a fee from a trusted certificate authority. It does not have to be mozilla. There are also people who provide them for free, eg: http://cert.startcom.org/ MK -- "Enthusiasm is not the enemy of the intellect." (said of Irving Howe) "The angel of history[...]is turned toward the past." (Walter Benjamin) ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org