Question on certificate chain creation in using SSL_CTX_use_certificate_chain_file

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Question on certificate chain creation in using SSL_CTX_use_certificate_chain_file

David Li
Hi, 

Say, I have a servercert.pem, serverkey.pem and cacert.pem.  When using SSL_CTX_use_certificate_chain_file() to load a cert file as the second argument, I will have to construct the file like this:

cat servercert.pem serverkey.pem cacert.pem > server.pem

and use server.pem in the API. 

My question is why I need to put in the private server key when loading the certificates? 

What's even more confusing to me is that later on I have to use
SSL_CTX_use_PrivateKey_file() to load the private key file which again is the same as server.pem. 

I might have misunderstood something or these two APIs might have internally picked the ones they need and ignore the rest in the file. Maybe it's just a convenient way to use a single file for both.

David

Reply | Threaded
Open this post in threaded view
|

Re: Question on certificate chain creation in using SSL_CTX_use_certificate_chain_file

Viktor Dukhovni
On Thu, May 29, 2014 at 12:53:06PM -0700, David Li wrote:

> Say, I have a servercert.pem, serverkey.pem and cacert.pem.  When
> using SSL_CTX_use_certificate_chain_file() to load a cert file as the
> second argument, I will have to construct the file like this:
>
> cat servercert.pem serverkey.pem cacert.pem > server.pem

You don't need to include the key here, if you load the key from
a separate file.  If you do include they key its position can be
anywhere in that list.  If the CA is a self-issued root CA, and
you're using PKIX (not DANE) the CA is also optional.

Also if you include the key, set the umask to 077, to protect the
key.

> and use server.pem in the API.
>
> My question is why I need to put in the private server key when loading the
> certificates?

You don't.

> What's even more confusing to me is that later on I have to use
> SSL_CTX_use_PrivateKey_file() to load the private key file which again is
> the same as server.pem.

You need to load the key from somewhere, it is often preferrable
to use a single file, so that the key and cert are stored together.
You are free to store them in separate files.

> I might have misunderstood something or these two APIs might have
> internally picked the ones they need and ignore the rest in the file. Maybe
> it's just a convenient way to use a single file for both.

Each function looks at just the pieces of the file it wants.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]