Current status
Hal Murray
hmurray at megapathdsl.net
Wed Feb 13 23:18:17 UTC 2019
>> I'm calling that "cert and other certs" a chain.
> Except that is not the definition of a cert full chain file.
> Please don't make up new terms for long standing, well settled, concepts.
I didn't call it a "full" chain file.
I pulled the term "chain file" from the API. If you have a URL for a good
glossary, please share it.
>From man SSL_CTX_use_certificate_chain_file
SSL_CTX_use_certificate_chain_file() loads a certificate chain from
file into ctx. The certificates must be in PEM format and must be
sorted starting with the subject's certificate (actual client or server
certificate), followed by intermediate CA certificates if applicable,
and ending at the highest level (root) CA.
SSL_CTX_use_certificate_chain_file() should be used instead of the
SSL_CTX_use_certificate_file() function in order to allow the use of
complete certificate chains even when no trusted CA storage is used or
when the CA issuing the certificate shall not be added to the trusted
CA storage.
As far as I can tell, you don't need the root cert when feeding the chain to a
TLS server. I think the TLS server sends the chain to the TLS client. The
client already has the root cert so it isn't needed in normal use. It might
be handy when checking things with command line tools.
--
These are my opinions. I hate spam.
More information about the devel
mailing list