<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=windows-1252">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 15/09/2015 08:28, Rene Bartsch
wrote:<br>
</div>
<blockquote class=" cite"
id="mid_3199f47cb4e77b2d972eab55a0f417fd_triangulum_uberspace_de"
cite="mid:3199f47cb4e77b2d972eab55a0f417fd@triangulum.uberspace.de"
type="cite">Hi,
<br>
<br>
how does OpenSSL scan/parse the certificate store?
<br>
<br>
Does it look for specific directory-/filenames (e.g. CA-identity =
<filename>.crt) or does it just parse ALL files in the
certificate store?
<br>
<br>
</blockquote>
<tt>See the documentation of the c_rehash program.</tt><tt><br>
</tt><tt><br>
</tt><tt>Basically there are two alternative methods:</tt><tt><br>
</tt><tt><br>
</tt><tt>A) (preferred): For each certificiate, there is a symlink <br>
from a (weak) checksum of the CA identity to
<filename>.pem <br>
(Example: 17b51fe6.0 -> Certplus_Class_2_Primary_CA.pem). <br>
If more than one CA ends up with the same checksum, the <br>
additional links are given increasing numeric suffic, <br>
and OpenSSL will try them one by one. Because older <br>
OpenSSL versions used a different checksum formula, it <br>
is sometimes useful to set up both sets of symlinks.</tt><tt><br>
</tt><tt><br>
</tt><tt>B) (preloaded): All the CA certificates (in PEM format) are
<br>
concatenated into a giant certificates.pem file which is <br>
loaded into memory at OpenSSL start up, this is especially <br>
useful if the process will chroot() into a directory that <br>
doesn't contain the certificates.</tt><tt><br>
</tt><br>
<br>
<pre class="moz-signature" cols="72">Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. <a class="moz-txt-link-freetext" href="http://www.wisemo.com">http://www.wisemo.com</a>
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded </pre>
</body>
</html>