Gordon and I also replied to the other thread. Posting link here for make later reference easier: https://lists.apache.org/thread.html/611523d9ac3569a578d446b6363898d1226f13ffa050458efc56d470%401451392828%40%3Cusers.qpid.apache.org%3E
(In general please avoid skipping between threads, and reviving 4-5yr old threads, when you already have a fresh one started) On Thu, 20 Aug 2020 at 10:59, Robbie Gemmell <[email protected]> wrote: > > The server sends the client its certificate when the client connects. > The client uses its configured db to verify the server cert, using e.g > contained CA certs (or perhaps Trusted Peer certs). If the server > requires one for client-certificate authentication, the client can > also use its configured db for a cert to send to the server. I believe > NSS stores all these in a single 'certdb' where you can configure what > a given entry is used for, hence only a single CERT_DB setting. It is > able to decide if e.g it is a trusted peer or a CA cert that can be > used to verify trust in an incoming cert based on the settings you > configure. > > If you have been provided a server 'trust store' to use I would expect > it to contain everything you need from the server side to have the > client trust it. It typically wouldn't have the ca/server key in it, > just certs, with keys being the private bits keeping things secure. > Whoever supplied you with the trust store can help you with the > specifics of their setup far better than I can, such as whether they > require client certs. > > Robbie > > On Wed, 19 Aug 2020 at 17:14, cgh467 <[email protected]> wrote: > > > > Hi Robbie, > > > > Thanks for the links. I have been following the run_ssl_tests example and > > am able to create c++ client to connect to localhost qpid server with below > > certs created from certutil database. > > > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > > > Test-CA CTu,u,u > > 127.0.0.1 Pu,u,u > > client Pu,u,u > > > > However, when I get the certs from java keystore, I was not able to > > connect to remote Qpid java sever. I think I need below type of files from > > Java Server, right? > > 1. CA cert and key in perm format > > 2. Server cert and key in perm format > > 3. Client cert and key in perm format (optional) > > > > When I import the certs and key to certutil Database, is there any > > requirement for the "Certificate Nickname". When I did localhost test, I > > have to make the server name as "127.0.0.1" so that I can use URL (such as > > 127.0.0.1:5671) to connect to the local server. I'm confused how the qpid > > SSL find the server cert since there is no server option setting in C++ > > client code. Only client cert setting exists as below: > > export QPID_SSL_CERT_DB=/root/client_db > > export QPID_SSL_CERT_NAME=client > > > > Thanks so much! > > > > Linda > > > > > > > > > > > > -- > > Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-f2158936.html > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
