Re: Question on certificate chain creation in using SSL_CTX_use_certificate_chain_file
On Thu, May 29, 2014 at 12:53:06PM -0700, David Li wrote:
> Say, I have a servercert.pem, serverkey.pem and cacert.pem. When
> using SSL_CTX_use_certificate_chain_file() to load a cert file as the
> second argument, I will have to construct the file like this:
> cat servercert.pem serverkey.pem cacert.pem > server.pem
You don't need to include the key here, if you load the key from
a separate file. If you do include they key its position can be
anywhere in that list. If the CA is a self-issued root CA, and
you're using PKIX (not DANE) the CA is also optional.
Also if you include the key, set the umask to 077, to protect the
> and use server.pem in the API.
> My question is why I need to put in the private server key when loading the
> What's even more confusing to me is that later on I have to use
> SSL_CTX_use_PrivateKey_file() to load the private key file which again is
> the same as server.pem.
You need to load the key from somewhere, it is often preferrable
to use a single file, so that the key and cert are stored together.
You are free to store them in separate files.
> I might have misunderstood something or these two APIs might have
> internally picked the ones they need and ignore the rest in the file. Maybe
> it's just a convenient way to use a single file for both.
Each function looks at just the pieces of the file it wants.