[openssl-users] How can I set up a bundle of commercial root CA certificates? (FAQ 16)

Viktor Dukhovni openssl-users at dukhovni.org
Sun Dec 13 19:27:40 UTC 2015

> On Dec 13, 2015, at 5:34 AM, Ben Humpert <ben at an3k.de> wrote:
> 2015-12-13 3:53 GMT+01:00 Viktor Dukhovni <openssl-users at dukhovni.org>:
>> In other words, you can concatenate all the trusted root CA
>> certs into the "cert.pem" file in that directory, but this
>> has a performance cost, as all the certificates are loaded
>> into memory and parse even though most go unused.  Alternatively,
> The problem with concatenating certs into one file is that at least
> Windows does not understand that format and just reads the first
> certificate but ignores all following.

This is both wrong and irrelevant.  The OP should proceed as instructed.
OpenSSL's CAfile feature reads multiple certificates from a single file.


More information about the openssl-users mailing list