[openssl-users] How can I set up a bundle of commercial root CA certificates? (FAQ 16)

Jakob Bohm jb-openssl at wisemo.com
Mon Dec 14 16:00:10 UTC 2015

On 12/12/2015 22:23, Dominik Mahrer (Teddy) wrote:
> Hi everyone
> My question is:
> How can I set up a bundle of commercial root CA certificates?
> Exactly this the same question I found as FAQ # 16 (User). But as 
> answer there is only explained that openssl will not serve a bundle. 
> But it is not explained how to set up a bundle - but exactly this I 
> would like to know.
Returning to the original question (please ignore the
silly discussion others are having about file formats).

There are the following options:

A. (Best, most costly).  Set up direct business relationships
   with each relevant CA and use that business relastionship
   to obtain both "known good" copies of the applicable root
   certs *and* detailed written proof that the CA is doing
   everything necessary to avoid issuing bad/fake certificates.
    This is what Mozilla, Microsoft and apparently Oracle do.
   Some major Linux distribution may doing this too.

B. (Somewhat lazy). Obtain known good verified and digitally
   signed copies of the lists of trusted certificates published
   by a vendor you trust to do this right, extract the
   certificates from their software and use that.

C. Wing it and download the root CA's from the homepages of
   each CA, taking care that you have some way of making sure
   you are not getting a fake copy from someone attacking the
   CA's (or your own) Internet connection.  For example, the CA
   may publish the root cert or a strong fingerprint of it on a
   HTTPS protected URL whose certificate is itself signed by
   another CA you already trust.

Either way, you then need to convert this bundle of collected
CA root certs to a common format and install those converted
files in a way supported by the relevant software (for example,
OpenSSL 1.0.x can use the hashed directory layout produced by
c_rehash from OpenSSL 1.0.x, while OpenSSL 0.9.8 can do the
same with the similar but different layout produced by
c_rehash from OpenSSL 0.9.8, either OpenSSL version can
alternatively use a concatenation of all the certs in PEM


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list