[openssl-dev] Loading of different Server CA certificates

Dave Thompson dthompson at prinpay.com
Wed Jan 28 07:49:34 UTC 2015


> From: openssl-dev On Behalf Of Satish.KumarYarru at cognizant.com
> Sent: Wednesday, January 28, 2015 00:08

This is a basic user question, not dev.

> I want to connect with different SSL servers. So I need to load different
Server CA certs into SSL Context. 

If the servers are (or may be) using different CAs, yes.

> Is it possible to load different server CA certs of different SSL servers
in a single SSL Context?
> If yes, when I am connecting with SSL server, SSL client can traverse all
the CA certificates 
> in the SSL context, and can find the CA certificate that is fit for the
Server URL?
 
Yes. There are actually two mechanisms. For CAfile, all the certs are loaded
into memory,
and the lookup just searches them. For CApath, the certs are left on disk,
with filenames 
using hashes of the canonical subject names; lookup takes the hash of the
needed CA,
and reads the file(s) if any for that hash to find it. See the manpage on
your system 
or at https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html .
Also https://www.openssl.org/docs/apps/verify.html for some more details.





More information about the openssl-dev mailing list