[openssl-users] How can I set up a bundle of commercial root CA certificates? (FAQ 16)
Jakob Bohm
jb-openssl at wisemo.com
Mon Dec 14 16:00:10 UTC 2015
On 12/12/2015 22:23, Dominik Mahrer (Teddy) wrote:
> Hi everyone
>
> My question is:
> How can I set up a bundle of commercial root CA certificates?
> Exactly this the same question I found as FAQ # 16 (User). But as
> answer there is only explained that openssl will not serve a bundle.
> But it is not explained how to set up a bundle - but exactly this I
> would like to know.
>
Returning to the original question (please ignore the
silly discussion others are having about file formats).
There are the following options:
A. (Best, most costly). Set up direct business relationships
with each relevant CA and use that business relastionship
to obtain both "known good" copies of the applicable root
certs *and* detailed written proof that the CA is doing
everything necessary to avoid issuing bad/fake certificates.
This is what Mozilla, Microsoft and apparently Oracle do.
Some major Linux distribution may doing this too.
B. (Somewhat lazy). Obtain known good verified and digitally
signed copies of the lists of trusted certificates published
by a vendor you trust to do this right, extract the
certificates from their software and use that.
C. Wing it and download the root CA's from the homepages of
each CA, taking care that you have some way of making sure
you are not getting a fake copy from someone attacking the
CA's (or your own) Internet connection. For example, the CA
may publish the root cert or a strong fingerprint of it on a
HTTPS protected URL whose certificate is itself signed by
another CA you already trust.
Either way, you then need to convert this bundle of collected
CA root certs to a common format and install those converted
files in a way supported by the relevant software (for example,
OpenSSL 1.0.x can use the hashed directory layout produced by
c_rehash from OpenSSL 1.0.x, while OpenSSL 0.9.8 can do the
same with the similar but different layout produced by
c_rehash from OpenSSL 0.9.8, either OpenSSL version can
alternatively use a concatenation of all the certs in PEM
format).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list