[openssl-users] How can I set up a bundle of commercial root CA certificates? (FAQ 16)

Viktor Dukhovni openssl-users at dukhovni.org
Sun Dec 13 02:53:45 UTC 2015

> On Dec 12, 2015, at 4:23 PM, Dominik Mahrer (Teddy) <teddy at teddy.ch> wrote:
> How can I set up a bundle of commercial root CA certificates?
> Exactly this the same question I found as FAQ # 16 (User). But as answer there is only explained that openssl will not serve a bundle. But it is not explained how to set up a bundle - but exactly this I would like to know.

To populate OpenSSL's trust-anchor set (which ships empty), you
first need to determine the OpenSSL configuration directory, which
is reported by (e.g. on my NetBSD system):

   $ openssl version -d
   OPENSSLDIR: "/usr/pkg/etc/openssl"

OpenSSL looks for certificates at that location, specifically:

	X509_CERT_DIR           OPENSSLDIR "/certs"
	X509_CERT_FILE          OPENSSLDIR "/cert.pem"

In other words, you can concatenate all the trusted root CA
certs into the "cert.pem" file in that directory, but this
has a performance cost, as all the certificates are loaded
into memory and parse even though most go unused.  Alternatively,
you can put one certificate per-file into the "certs/" sub-directory,
and run c_rehash, to create the necessary symlinks that it possible
for OpenSSL to find the certificate for a given issuer DN.

Some O/S distributions automatically populate the above file and/or
directory as part of installing OpenSSL, with whatever trust-anchors
(root CAs) they think are broadly applicable.  OpenSSL upstream does
not make that choice.


More information about the openssl-users mailing list