[openssl-users] How does OpenSSL load/parse the certificate store?
Jakob Bohm
jb-openssl at wisemo.com
Tue Sep 15 18:27:37 UTC 2015
On 15/09/2015 08:28, Rene Bartsch wrote:
> Hi,
>
> how does OpenSSL scan/parse the certificate store?
>
> Does it look for specific directory-/filenames (e.g. CA-identity =
> <filename>.crt) or does it just parse ALL files in the certificate store?
>
See the documentation of the c_rehash program.
Basically there are two alternative methods:
A) (preferred): For each certificiate, there is a symlink
from a (weak) checksum of the CA identity to <filename>.pem
(Example: 17b51fe6.0 -> Certplus_Class_2_Primary_CA.pem).
If more than one CA ends up with the same checksum, the
additional links are given increasing numeric suffic,
and OpenSSL will try them one by one. Because older
OpenSSL versions used a different checksum formula, it
is sometimes useful to set up both sets of symlinks.
B) (preloaded): All the CA certificates (in PEM format) are
concatenated into a giant certificates.pem file which is
loaded into memory at OpenSSL start up, this is especially
useful if the process will chroot() into a directory that
doesn't contain the certificates.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150915/c1e52b7e/attachment.html>
More information about the openssl-users
mailing list