Re: [openssl-users] How can I set up a bundle of commercial root CA certificates? (FAQ 16)

Mon, 14 Dec 2015 08:01:08 -0800 

On 12/12/2015 22:23, Dominik Mahrer (Teddy) wrote:

Hi everyone

My question is:
How can I set up a bundle of commercial root CA certificates?
Exactly this the same question I found as FAQ # 16 (User). But as answer there is only explained that openssl will not serve a bundle. But it is not explained how to set up a bundle - but exactly this I would like to know. 


Returning to the original question (please ignore the
silly discussion others are having about file formats).

There are the following options:

A. (Best, most costly).  Set up direct business relationships
  with each relevant CA and use that business relastionship
  to obtain both "known good" copies of the applicable root
  certs *and* detailed written proof that the CA is doing
  everything necessary to avoid issuing bad/fake certificates.
   This is what Mozilla, Microsoft and apparently Oracle do.
  Some major Linux distribution may doing this too.

B. (Somewhat lazy). Obtain known good verified and digitally
  signed copies of the lists of trusted certificates published
  by a vendor you trust to do this right, extract the
  certificates from their software and use that.

C. Wing it and download the root CA's from the homepages of
  each CA, taking care that you have some way of making sure
  you are not getting a fake copy from someone attacking the
  CA's (or your own) Internet connection.  For example, the CA
  may publish the root cert or a strong fingerprint of it on a
  HTTPS protected URL whose certificate is itself signed by
  another CA you already trust.

Either way, you then need to convert this bundle of collected
CA root certs to a common format and install those converted
files in a way supported by the relevant software (for example,
OpenSSL 1.0.x can use the hashed directory layout produced by
c_rehash from OpenSSL 1.0.x, while OpenSSL 0.9.8 can do the
same with the similar but different layout produced by
c_rehash from OpenSSL 0.9.8, either OpenSSL version can
alternatively use a concatenation of all the certs in PEM
format).


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to