> Hi,
> I want to do the following (not with HTTP, but HTTP is a good
> example): When
> a server presents a certificate and the client does not know the CA, it
> should nevertheless be possible to trust this site. The client
> should store
> the site's public key and name in a "trusted servers" database.
>
> This is how ssh does server authentication.
>
> Is there a simple way to implement this? There are functions in the X509
> library to extract the public key and the subject's name from the
> certificate, but I have found no functions to serialize them to a
> file or
> load them from a file. Have I missed something?
Well, the database of CA's is essentially a trusted certificate (or public
key) database. You end up at a CA public key from the server's public key
through certificate chaining.
You can choose to trust a server's certificate directly, I imagine, by
installing it as a trusted certificate just like you would install a CA
certificate. A CA certificate, after all, is self-signed and thus presumes
trust by the client.
+-------------------------------------------------------------------------+
| Administrative requests should be sent to [EMAIL PROTECTED] |
| List service provided by Open Software Associates, http://www.osa.com/ |
+-------------------------------------------------------------------------+
