How can I set up a bundle of commercial root CA certificates? (FAQ 16)

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

How can I set up a bundle of commercial root CA certificates? (FAQ 16)

Dominik Mahrer (Teddy)
Hi everyone

My question is:
How can I set up a bundle of commercial root CA certificates?
Exactly this the same question I found as FAQ # 16 (User). But as answer
there is only explained that openssl will not serve a bundle. But it is
not explained how to set up a bundle - but exactly this I would like to
know.

Thanks in advice
Teddy

--
Teddy Engineering GmbH     http://www.teddy.ch/
Lettenmattstrasse 5        mailto:[hidden email]
8903 Birmensdorf ZH        +41 32 511 07 48



_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: How can I set up a bundle of commercial root CA certificates? (FAQ 16)

Ben Humpert
Hi,

so if I understand you correctly you want to create one file that
contains more than one CA certificate and can be installed onto
Windows, Mac, etc.? You only can do that if you create a p12 file and
that must contain a leaf certificate and its private key.

openssl pkcs12 -export -in out/X.crt -inkey out/X.key -chain -out out/X.p12

You can check the openssl pkcs12 help for more arguments.

Best regards,

Ben

2015-12-12 22:23 GMT+01:00 Dominik Mahrer (Teddy) <[hidden email]>:

> Hi everyone
>
> My question is:
> How can I set up a bundle of commercial root CA certificates?
> Exactly this the same question I found as FAQ # 16 (User). But as answer
> there is only explained that openssl will not serve a bundle. But it is not
> explained how to set up a bundle - but exactly this I would like to know.
>
> Thanks in advice
> Teddy
>
> --
> Teddy Engineering GmbH     http://www.teddy.ch/
> Lettenmattstrasse 5        mailto:[hidden email]
> 8903 Birmensdorf ZH        +41 32 511 07 48
>
>
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How can I set up a bundle of commercial root CA certificates? (FAQ 16)

Kurt Roeckx
In reply to this post by Dominik Mahrer (Teddy)
On Sat, Dec 12, 2015 at 10:23:38PM +0100, Dominik Mahrer (Teddy) wrote:
> Hi everyone
>
> My question is:
> How can I set up a bundle of commercial root CA certificates?
> Exactly this the same question I found as FAQ # 16 (User). But as answer
> there is only explained that openssl will not serve a bundle. But it is not
> explained how to set up a bundle - but exactly this I would like to know.

Why do you think you need a bundle?  How will this bundle then be
used?

An answer could be that you just cat all the pem files into 1
large file.


Kurt

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How can I set up a bundle of commercial root CA certificates? (FAQ 16)

Viktor Dukhovni
In reply to this post by Dominik Mahrer (Teddy)

> On Dec 12, 2015, at 4:23 PM, Dominik Mahrer (Teddy) <[hidden email]> wrote:
>
> How can I set up a bundle of commercial root CA certificates?
> Exactly this the same question I found as FAQ # 16 (User). But as answer there is only explained that openssl will not serve a bundle. But it is not explained how to set up a bundle - but exactly this I would like to know.

To populate OpenSSL's trust-anchor set (which ships empty), you
first need to determine the OpenSSL configuration directory, which
is reported by (e.g. on my NetBSD system):

   $ openssl version -d
   OPENSSLDIR: "/usr/pkg/etc/openssl"

OpenSSL looks for certificates at that location, specifically:

        X509_CERT_DIR           OPENSSLDIR "/certs"
        X509_CERT_FILE          OPENSSLDIR "/cert.pem"

In other words, you can concatenate all the trusted root CA
certs into the "cert.pem" file in that directory, but this
has a performance cost, as all the certificates are loaded
into memory and parse even though most go unused.  Alternatively,
you can put one certificate per-file into the "certs/" sub-directory,
and run c_rehash, to create the necessary symlinks that it possible
for OpenSSL to find the certificate for a given issuer DN.

Some O/S distributions automatically populate the above file and/or
directory as part of installing OpenSSL, with whatever trust-anchors
(root CAs) they think are broadly applicable.  OpenSSL upstream does
not make that choice.

--
        Viktor.



_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How can I set up a bundle of commercial root CA certificates? (FAQ 16)

Ben Humpert
2015-12-13 3:53 GMT+01:00 Viktor Dukhovni <[hidden email]>:
>
> In other words, you can concatenate all the trusted root CA
> certs into the "cert.pem" file in that directory, but this
> has a performance cost, as all the certificates are loaded
> into memory and parse even though most go unused.  Alternatively,


The problem with concatenating certs into one file is that at least
Windows does not understand that format and just reads the first
certificate but ignores all following.
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How can I set up a bundle of commercial root CA certificates? (FAQ 16)

Walter H.
On 13.12.2015 11:34, Ben Humpert wrote:
> 2015-12-13 3:53 GMT+01:00 Viktor Dukhovni<[hidden email]>:
>> In other words, you can concatenate all the trusted root CA
>> certs into the "cert.pem" file in that directory, but this
>> has a performance cost, as all the certificates are loaded
>> into memory and parse even though most go unused.  Alternatively,
> The problem with concatenating certs into one file is that at least
> Windows does not understand that format and just reads the first
> certificate but ignores all following.
>
then create a pkcs7 container

openssl crl2pkcs7 -nocrl -certfile cert1.pem -certfile cert2.pem
-certfile cert3.pem -out bundle.p7b




_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: How can I set up a bundle of commercial root CA certificates? (FAQ 16)

Viktor Dukhovni
In reply to this post by Ben Humpert

> On Dec 13, 2015, at 5:34 AM, Ben Humpert <[hidden email]> wrote:
>
> 2015-12-13 3:53 GMT+01:00 Viktor Dukhovni <[hidden email]>:
>>
>> In other words, you can concatenate all the trusted root CA
>> certs into the "cert.pem" file in that directory, but this
>> has a performance cost, as all the certificates are loaded
>> into memory and parse even though most go unused.  Alternatively,
>
>
> The problem with concatenating certs into one file is that at least
> Windows does not understand that format and just reads the first
> certificate but ignores all following.

This is both wrong and irrelevant.  The OP should proceed as instructed.
OpenSSL's CAfile feature reads multiple certificates from a single file.

--
        Viktor.



_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How can I set up a bundle of commercial root CA certificates? (FAQ 16)

Ben Humpert
2015-12-13 20:27 GMT+01:00 Viktor Dukhovni <[hidden email]>:
>
> This is both wrong and irrelevant.  The OP should proceed as instructed.
> OpenSSL's CAfile feature reads multiple certificates from a single file.

Exactly that is the point. Only "linux based" tools will be able to
read such a pem file. Windows certificate tools are not able to do so.
And we don't know on which client OP will have to use that pem file,
thus give advise that works on all clients, not just OpenSSL or GnuTLS
or whatever.
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How can I set up a bundle of commercial root CA certificates? (FAQ 16)

Salz, Rich

> And we don't know on which client OP will have to use that pem file, thus
> give advise that works on all clients, not just OpenSSL or GnuTLS or whatever.

It is quite reasonable to give openssl-specific answers on the openssl-users mailing list, isn’t it?
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How can I set up a bundle of commercial root CA certificates? (FAQ 16)

Ben Humpert
2015-12-13 22:57 GMT+01:00 Salz, Rich <[hidden email]>:
>
>> And we don't know on which client OP will have to use that pem file, thus
>> give advise that works on all clients, not just OpenSSL or GnuTLS or whatever.
>
> It is quite reasonable to give openssl-specific answers on the openssl-users mailing list, isn’t it?

All given answers are openssl-specific (OP uses OpenSSL to CREATE the
bundle but likely not to READ / USE the created bundle). You are
intelligent enough to understand the difference, aren't you?

The problem with Viktor Dukhovni is that he acts like THE AUTHORITY;
saying all other given answers are wrong (actually none is).
Additionally his solution is complicated and only works with OpenSSL.

Since Windows, Mac, GnuTLS, OpenSSL, Android, iPhone, etc. understand
a pkcs7 container and since nobody knows on what clients the bundle
will be used Walter Hs answer is the best solution.

You know encryption but obviously not that there is a world beyond
OpenSSL. And as I already wrote: If you want to use the bundle on
Windows you CANNOT simply concatenate all the certs into one certs.pem
because Windows (and various other Operating Systems) does not
understand that format.
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How can I set up a bundle of commercial root CA certificates? (FAQ 16)

Jakob Bohm-7
In reply to this post by Dominik Mahrer (Teddy)
On 12/12/2015 22:23, Dominik Mahrer (Teddy) wrote:
> Hi everyone
>
> My question is:
> How can I set up a bundle of commercial root CA certificates?
> Exactly this the same question I found as FAQ # 16 (User). But as
> answer there is only explained that openssl will not serve a bundle.
> But it is not explained how to set up a bundle - but exactly this I
> would like to know.
>
Returning to the original question (please ignore the
silly discussion others are having about file formats).

There are the following options:

A. (Best, most costly).  Set up direct business relationships
   with each relevant CA and use that business relastionship
   to obtain both "known good" copies of the applicable root
   certs *and* detailed written proof that the CA is doing
   everything necessary to avoid issuing bad/fake certificates.
    This is what Mozilla, Microsoft and apparently Oracle do.
   Some major Linux distribution may doing this too.

B. (Somewhat lazy). Obtain known good verified and digitally
   signed copies of the lists of trusted certificates published
   by a vendor you trust to do this right, extract the
   certificates from their software and use that.

C. Wing it and download the root CA's from the homepages of
   each CA, taking care that you have some way of making sure
   you are not getting a fake copy from someone attacking the
   CA's (or your own) Internet connection.  For example, the CA
   may publish the root cert or a strong fingerprint of it on a
   HTTPS protected URL whose certificate is itself signed by
   another CA you already trust.

Either way, you then need to convert this bundle of collected
CA root certs to a common format and install those converted
files in a way supported by the relevant software (for example,
OpenSSL 1.0.x can use the hashed directory layout produced by
c_rehash from OpenSSL 1.0.x, while OpenSSL 0.9.8 can do the
same with the similar but different layout produced by
c_rehash from OpenSSL 0.9.8, either OpenSSL version can
alternatively use a concatenation of all the certs in PEM
format).


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users