On 7/13/2012 12:50 AM, John wrote:
Hello. I have installed OpenSSL-Win64 version 1.0.1c on a 64-bit Win7
machine, which I use primarily on my home network. I am wanting to
user another program now, socat, which is making reference to the CA
store in some of its commands. As you know, OpenSSL does not, at least
in Windows, provide a CA store during installation, and no doubt for
good reason. Even so, one way or another I need to get one to use, at
least I need to have the certificates related to the current task at
hand.
In this case I am connecting to a single website using https and I
have obtained the separate SSL pem for that site's authentication. It
also happens that I do have a CA store, besides the one that Windows
itself provides, as another program I use, wget, did actually install
a current one for its use. The problem I have is that the "cacert.pem"
that came with wget appears to be a single file comprised of a large
collection of individual root certificates, but these do not include
the lower-level one I now need for this server.
Now, it happens that the socat command I need is able optionally to
make reference to a certificate file in two different ways, as I
understand the manual:
cafile=<filename>
Specifies the file with the trusted (root) authority certificates. The
file must be in PEM format and should contain one or more
certificates. The party that checks the authentication of its peer
trusts only certificates that are in this file.
This is the same file format you have in your "wget" repository (note
that this must be an unofficial wget distribution, the common
distributions of wget do not include any CA certs)
capath=<dirname>
Specifies the directory with the trusted (root) certificates. The
directory must contain certificates in PEM format and their hashes
(see OpenSSL documentation)
This is the "hashed directory" format also used on most UNIX style
openssl installation. The directory needs to contain:
One text file for each certificate, with any file name (avoid spaces,
try to stick to ASCII). Format is a single "PEM" format CA certificate,
file extension is ".pem". Certificates that are in binary format can be
converted with the command "openssl x509 -inform DER -in oldfilename.crt
-out newfilename.pem"
A copy of each of these text files with the file name obtained by
running the command "openssl x509 -noout -hash -in originalcertfile.pem"
followed by a period and a small number (usually 0). If more than one
certificate has the same hash, but are really different (this does
happen!), use a larger number, such as 1 or 2 or ...
There is a standard unix-only perl script to do this called c_rehash, I
have converted it to a Windows batch file at the end of this mail
It looks to me like the option for cafile would require that I have
all the certificates in one file, and the option for capath would
require that they all be separated. I don't know whether using the
first option with just this one certificate received from the site
admin would work sufficiently; but even if it did, I would be back in
the same boat the next time around with a different site. I need to
have a way of combining certificates and adding to the collection in
the future. Alternatively, I would need a way of separating these
certificates I already have and put them into the proper format along
with their hashes. I have to believe that these two things can be
done, but I do not see the instructions for doings so. Can anyone
provide a pointer or aim me to the right set of instructions? Thanks.
Below is the rewritten c_rehash program.
Put all the trusted CA certificates and their CRLs in a directory called
"input" and then run this batch file, it will create a new directory
named "certs" with the standard contents.
The certificates must already be in "PEM" format, otherwise the combined
ca-certificates.crt bundle will be wrong.
Avoid file names with spaces or equal signs in them.
---- c_rehash bat begins here ----
@echo off
REM Copyright (C) 2012,2012 WiseMo A/S. All Rights Reserved.
REM Licensed under the OpenSSL license, no part of this file is from eay
or tjw
REM Windows batch rewrite of c_rehash perl script
REM version 0.1, tested with OpenSSL 1.0.x
if exist certs rd /s /q certs
if exist certs goto FAIL
md certs
if not exist certs goto FAIL
if exist input\*.cer copy input\*.cer certs\*.pem
if exist input\*.crt copy input\*.crt certs\*.pem /Y
if exist input\*.pem copy input\*.pem certs\*.pem /Y
if exist certs\ca-certificates.pem del certs\ca-certificates.pem
if not exist certs\*.pem goto FAIL
if exist input\*.crl copy input\*.crl certs\
for %%A in (certs\*.pem) do call :HASHX509 %%A
for %%A in (certs\*.crl) do call :HASHCRL %%A
copy certs\*.pem certs\ca-certificates.crt >NUL
goto DONE
:HASHX509
set HASH=
( for %%B in (pem der) do for /F %%C in ('openssl x509 -noout -hash
-inform %%B -in %1') do if not "%%C"=="" set HASH=%%C.
) 2>NUL
goto HASHCMN
:HASHCRL
set HASH=
( for %%B in (pem der) do for /F %%C in ('openssl crl -noout -hash
-inform %%B -in %1') do if not "%%C"=="" set HASH=%%C.r
) 2>NUL
goto HASHCMN
:HASHCMN
if "%HASH%"=="" goto BADFILE
set NUM=bad
for /L %%B in (10,-1,0) do if not exist "certs\%HASH%%%B" set NUM=%%B
if "%NUM%"=="bad" for /L %%B in (100,-1,0) do if not exist
"certs\%HASH%%%B" set NUM=%%B
if "%NUM%"=="bad" for /L %%B in (999,-1,0) do if not exist
"certs\%HASH%%%B" set NUM=%%B
if "%NUM%"=="bad" goto TOOMANY
copy %1 certs\%HASH%%NUM% >NUL
if not exist certs\%HASH%%NUM% goto HASHFAIL
set HASH=
goto DONE
:BADFILE
echo Warning: %1 is not a valid file
goto DONE
:TOOMANY
echo Error: more than 1000 CAs with hash %HASH%, skipping %1
set HASH=
goto DONE
:HASHFAIL
echo Error creating hashed copy of %1 as %HASH%%NUM%
set HASH=
goto DONE
:DONE
---- c_rehash bat ends here ----
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
