[Help-gnutls] Re: adding trusted CAs
Simon Josefsson
simon at josefsson.org
Wed Jul 2 18:22:07 CEST 2008
"Rainer Gerhards" <rgerhards at gmail.com> writes:
> Hi all,
>
> this is probably an exceptionally dumb question, but... ;)
>
> I would like to ship a number of trusted roots with the default
> rsyslog install - much like web browsers do. The idea is that I would
> like to be able to automatically verify certificates that have been
> obtained by one of those well-known CA.
>
> Question now: how do I do that? Do I simply add the certificate blocks
> into a single big .pem file? Or do I need to supply multiple files.
Yes, that is typically the simplest. The
gnutls_certificate_set_x509_trust_file function will read multiple CAs
from a file.
> Also (the probably really dumb one ;)): how do I obtain these
> certificates? Ask the CAs? Or export them from the browser (I've not
> found this option in Firefox).
>
> Advise is appreciated.
Extracting them from a browser has been done:
http://curl.haxx.se/docs/caextract.html
I don't recommend shipping these CAs as "trusted" CAs without verifying
them though. It is generally safest to ask users to install the CAs
they trust manually.
/Simon
More information about the Gnutls-help
mailing list