[openssl-users] How can I set up a bundle of commercial root CA certificates? (FAQ 16)
Viktor Dukhovni
openssl-users at dukhovni.org
Sun Dec 13 02:53:45 UTC 2015
> On Dec 12, 2015, at 4:23 PM, Dominik Mahrer (Teddy) <teddy at teddy.ch> wrote:
>
> How can I set up a bundle of commercial root CA certificates?
> Exactly this the same question I found as FAQ # 16 (User). But as answer there is only explained that openssl will not serve a bundle. But it is not explained how to set up a bundle - but exactly this I would like to know.
To populate OpenSSL's trust-anchor set (which ships empty), you
first need to determine the OpenSSL configuration directory, which
is reported by (e.g. on my NetBSD system):
$ openssl version -d
OPENSSLDIR: "/usr/pkg/etc/openssl"
OpenSSL looks for certificates at that location, specifically:
X509_CERT_DIR OPENSSLDIR "/certs"
X509_CERT_FILE OPENSSLDIR "/cert.pem"
In other words, you can concatenate all the trusted root CA
certs into the "cert.pem" file in that directory, but this
has a performance cost, as all the certificates are loaded
into memory and parse even though most go unused. Alternatively,
you can put one certificate per-file into the "certs/" sub-directory,
and run c_rehash, to create the necessary symlinks that it possible
for OpenSSL to find the certificate for a given issuer DN.
Some O/S distributions automatically populate the above file and/or
directory as part of installing OpenSSL, with whatever trust-anchors
(root CAs) they think are broadly applicable. OpenSSL upstream does
not make that choice.
--
Viktor.
More information about the openssl-users
mailing list