[openssl-users] How does OpenSSL load/parse the certificate store?

Jakob Bohm jb-openssl at wisemo.com
Tue Sep 15 18:27:37 UTC 2015

On 15/09/2015 08:28, Rene Bartsch wrote:
> Hi,
> how does OpenSSL scan/parse the certificate store?
> Does it look for specific directory-/filenames (e.g. CA-identity = 
> <filename>.crt) or does it just parse ALL files in the certificate store?
See the documentation of the c_rehash program.

Basically there are two alternative methods:

A) (preferred): For each certificiate, there is a symlink
   from a (weak) checksum of the CA identity to <filename>.pem
   (Example: 17b51fe6.0 -> Certplus_Class_2_Primary_CA.pem).
   If more than one CA ends up with the same checksum, the
   additional links are given increasing numeric suffic,
   and OpenSSL will try them one by one.  Because older
   OpenSSL versions used a different checksum formula, it
   is sometimes useful to set up both sets of symlinks.

B) (preloaded): All the CA certificates (in PEM format) are
   concatenated into a giant certificates.pem file which is
   loaded into memory at OpenSSL start up, this is especially
   useful if the process will chroot() into a directory that
   doesn't contain the certificates.


Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150915/c1e52b7e/attachment.html>

More information about the openssl-users mailing list