[openssl-users] How can I set up a bundle of commercial root CA certificates? (FAQ 16)

Ben Humpert ben at an3k.de
Mon Dec 14 11:39:39 UTC 2015

2015-12-13 22:57 GMT+01:00 Salz, Rich <rsalz at akamai.com>:
>> And we don't know on which client OP will have to use that pem file, thus
>> give advise that works on all clients, not just OpenSSL or GnuTLS or whatever.
> It is quite reasonable to give openssl-specific answers on the openssl-users mailing list, isn’t it?

All given answers are openssl-specific (OP uses OpenSSL to CREATE the
bundle but likely not to READ / USE the created bundle). You are
intelligent enough to understand the difference, aren't you?

The problem with Viktor Dukhovni is that he acts like THE AUTHORITY;
saying all other given answers are wrong (actually none is).
Additionally his solution is complicated and only works with OpenSSL.

Since Windows, Mac, GnuTLS, OpenSSL, Android, iPhone, etc. understand
a pkcs7 container and since nobody knows on what clients the bundle
will be used Walter Hs answer is the best solution.

You know encryption but obviously not that there is a world beyond
OpenSSL. And as I already wrote: If you want to use the bundle on
Windows you CANNOT simply concatenate all the certs into one certs.pem
because Windows (and various other Operating Systems) does not
understand that format.

More information about the openssl-users mailing list