[openssl-users] How can I set up a bundle of commercial root CA certificates? (FAQ 16)

Walter H. Walter.H at mathemainzel.info
Sun Dec 13 12:16:56 UTC 2015

On 13.12.2015 11:34, Ben Humpert wrote:
> 2015-12-13 3:53 GMT+01:00 Viktor Dukhovni<openssl-users at dukhovni.org>:
>> In other words, you can concatenate all the trusted root CA
>> certs into the "cert.pem" file in that directory, but this
>> has a performance cost, as all the certificates are loaded
>> into memory and parse even though most go unused.  Alternatively,
> The problem with concatenating certs into one file is that at least
> Windows does not understand that format and just reads the first
> certificate but ignores all following.
then create a pkcs7 container

openssl crl2pkcs7 -nocrl -certfile cert1.pem -certfile cert2.pem 
-certfile cert3.pem -out bundle.p7b

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4312 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151213/b9c0c92f/attachment-0001.bin>

More information about the openssl-users mailing list