On Apr 24, 2014, at 8:21 AM, Edward Ned Harvey (openssl) <open...@nedharvey.com> wrote:
>> From: owner-openssl-us...@openssl.org [mailto:owner-openssl- >> us...@openssl.org] On Behalf Of Dave Thompson >> >> - the truststore if -CAfile and/or -CApath specified IF NEEDED > > Thank you very much for your awesome detailed answer. This answers a lot of > questions, but I am left with a new one: > > I use openssl on a lot of different platforms, and it always seems to be > built differently... OSX native, OSX homebrew, various linuxes, openindiana, > cygwin, nuGet in Visual Studio, etc. I don't know if these builds > universally include any set of root CA's, and sometimes I can find a > directory to answer my question, sometimes not. OpenSSL itself does not include any certificates at all. The root certificates installed on a system are unrelated to the version of OpenSSL or how OpenSSL was compiled. > Is there some way I can make openssl tell me the list of roots it has? Or > tell me the directory (directories) that it searches? For the second question, no; there’s no location that OpenSSL (either the library or the command line app) will search automatically — you have to specify that on your own, with -CApath (or -CAfile). For the first question, there are a few different possibilities, but remember that you have to tell OpenSSL where to look, and what to look for. :) You could, e.g., use ‘openssl x509 -noout -text -in <file>’ for a bunch of different certificate files in DER or PEM format (it’ll even work if there are multiple certificates in <file>). > It seems, to answer my original question, *if* I can trust that openssl on > the platform that I'm using actually as a complete-ish set of root CA's, then > the best and easiest way to build the pfx will be: > openssl pkcs12 -export -out mypkcs12.pfx -inkey my.private.key -in > mycert.crt -certfile intermediate.crt > (Correct?) If the OS has a complete-ish set of root certificates installed somewhere, you can use a command line like that, but you probably want to use -CApath to specify the directory where the root certificates are installed. > And if the above doesn't automatically include the root CA for my chain (or > if I just like doing it explicitly), then I can do this: > openssl pkcs12 -export -out mypkcs12.pfx -inkey my.private.key -in > mycert.crt -certfile intermediate.crt -CAfile ca.crt > (Correct?) That’s likely to be more reliable everywhere. :) > Alternatively, I could > cat mycert.crt intermediate.crt ca.crt > mychain.crt > openssl pkcs12 -export -out mypkcs12.pfx -inkey my.private.key -in > mychain.crt > (Correct?) This would also work, but unless you’ve got another reason to stick all of the certificates in the chain into a single file first, it’s likely to be more trouble than it’s worth. I usually put my root and any intermediates into a single file and use -CAfile to specify the intermediate(s) (if any) and root when I’m generating certificates and packaging them in PKCS#12 for distribution (e.g. to send to a Windows user). But I think the question of what’s “best” is dependent on what you’re doing, and how you like to do things. :) TOM > Thanks... > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org