[openssl-users] How to define server cert in openssl.cnf ?

Stefan Runkel S.Runkel at nanotron.com
Mon Feb 22 20:17:01 UTC 2016


hello,
i am running el5 with unmodified openssl.cnf file and have a program that uses the openssl libraries but is stupid enough to not offer some parameters to configure cert and cacert ("check_nrpe").

This programs source code initializes the openssl lib as follows:
               SSL_library_init();
               SSLeay_add_ssl_algorithms();
               meth=SSLv23_client_method();
               SSL_load_error_strings();
               SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);

Given "local_host_name.pem" and "ca_new.crt" which are created on a different machine (my root ca) with openssl, if i run a

               openssl s_client -connect remotehost.80:5666 -CAfile /etc/tmpssl/ca_new.crt -cert /etc/tmpssl/local_host_name.pem

that validates remotehost's certificate successfully and remotehost does not complain either in the logs.
So, what i *think* i need now is to setup an openssl.cnf file which enables me to run above command without specifying the certs:

               openssl s_client -connect remotehost.80:5666

After appending "ca_new.crt" to "/etc/pki/tls/certs/ca_bundle.crt", i can omit the "-CAfile /etc/tmpssl/ca_new.crt" parameter from above command and it still works fine.
But i can not find out what to do with the server certificate "local_host_name.pem" to reach my goal.

Could anybody please enlighten me ?

greetings, SR


-- 
Nanotron Technologies GmbH * Alt-Moabit 60 * 10555 Berlin * Germany
Geschaeftsfuehrer: Dr. Jens N. Albers
Sitz der Gesellschaft: Berlin * Registergericht: Berlin-Charlottenburg * HRB 42324
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160222/d3a1efd9/attachment.html>


More information about the openssl-users mailing list