The server sends the client its certificate when the client connects. The client uses its configured db to verify the server cert, using e.g contained CA certs (or perhaps Trusted Peer certs). If the server requires one for client-certificate authentication, the client can also use its configured db for a cert to send to the server. I believe NSS stores all these in a single 'certdb' where you can configure what a given entry is used for, hence only a single CERT_DB setting. It is able to decide if e.g it is a trusted peer or a CA cert that can be used to verify trust in an incoming cert based on the settings you configure.
If you have been provided a server 'trust store' to use I would expect it to contain everything you need from the server side to have the client trust it. It typically wouldn't have the ca/server key in it, just certs, with keys being the private bits keeping things secure. Whoever supplied you with the trust store can help you with the specifics of their setup far better than I can, such as whether they require client certs. Robbie On Wed, 19 Aug 2020 at 17:14, cgh467 <[email protected]> wrote: > > Hi Robbie, > > Thanks for the links. I have been following the run_ssl_tests example and > am able to create c++ client to connect to localhost qpid server with below > certs created from certutil database. > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > Test-CA CTu,u,u > 127.0.0.1 Pu,u,u > client Pu,u,u > > However, when I get the certs from java keystore, I was not able to > connect to remote Qpid java sever. I think I need below type of files from > Java Server, right? > 1. CA cert and key in perm format > 2. Server cert and key in perm format > 3. Client cert and key in perm format (optional) > > When I import the certs and key to certutil Database, is there any > requirement for the "Certificate Nickname". When I did localhost test, I > have to make the server name as "127.0.0.1" so that I can use URL (such as > 127.0.0.1:5671) to connect to the local server. I'm confused how the qpid > SSL find the server cert since there is no server option setting in C++ > client code. Only client cert setting exists as below: > export QPID_SSL_CERT_DB=/root/client_db > export QPID_SSL_CERT_NAME=client > > Thanks so much! > > Linda > > > > > > -- > Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-f2158936.html > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
