[openssl-dev] OpenSSL and certain PEM formats
Dr. Stephen Henson
steve at openssl.org
Sat Dec 20 14:29:44 UTC 2014
On Fri, Dec 19, 2014, Sean Leonard wrote:
>
> On Dec 19, 2014, at 11:35 AM, Kurt Roeckx <kurt at roeckx.be> wrote:
>
> > On Fri, Dec 19, 2014 at 03:05:32PM +0000, Viktor Dukhovni wrote:
> >> On Fri, Dec 19, 2014 at 08:47:55AM -0500, Daniel Kahn Gillmor wrote:
> >>
> >>> Does OpenSSL have documented someplace exactly what it means to have a
> >>> "TRUSTED CERTIFICATE"?
> >>
> >> It is a certificate + auxiliary data which specifies a friendly name
> >> plus a set of EKUs.
> >
> > Mozilla provides a list of root certificates and that includes at
> > least the trust settings for that certificate.
>
> What exactly is the Mozilla (NSS) format? How does it differ from the OpenSSL format?
>
The last time I checked NSS stored the trust data in a database (Berkeley DB)
and the trust attributes could be accessed via PKCS#11. I'm not aware of any
way to export the certificates to a file which retains the trust settings.
I'm not aware of any standard for trust settings. There certainly wasn't
one when this was added to OpenSSL.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-dev
mailing list