recommendations for storage of accepted certificates

Nikos Mavrogiannopoulos nmav at gnutls.org
Sat Oct 2 08:51:18 CEST 2010


On 10/01/2010 09:50 PM, Ted Zlatanov wrote:
> I want to store the server certificates that the user accepts.  This is
> inside Emacs so I have easy access to file editing and all the other
> nifty Emacs Lisp functions.
> 
> Can I generate a trust file? 

Of course you can. Just store the trusted certificates in PEM format.
However there you place trusted CAs thus any CA you store could verify
potentially any server which is quite dangerous and might not be what
you want.

The best alternative would be to store for every server the
corresponding certificate and during next connection verify that it
remained the same.

> Currently the trust file is the one that
> comes with the OS but I could make a user-specific one and copy the OS
> trust file contents into the user's.  Or is the trust file only a bundle
> of certificate authorities?  I can't find documentation on the format.

If you go with the 1st approach, you don't really need to store the
system file to the user one. You can call
gnutls_certificate_set_x509_key_file() multiple times (one to load the
system and one more for the user).

regards,
Nikos




More information about the Gnutls-devel mailing list