[Help-gnutls] Re: adding trusted CAs

Simon Josefsson simon at josefsson.org
Wed Jul 2 18:22:07 CEST 2008

"Rainer Gerhards" <rgerhards at gmail.com> writes:

> Hi all,
> this is probably an exceptionally dumb question, but... ;)
> I would like to ship a number of trusted roots with the default
> rsyslog install - much like web browsers do. The idea is that I would
> like to be able to automatically verify certificates that have been
> obtained by one of those well-known CA.
> Question now: how do I do that? Do I simply add the certificate blocks
> into a single big .pem file? Or do I need to supply multiple files.

Yes, that is typically the simplest.  The
gnutls_certificate_set_x509_trust_file function will read multiple CAs
from a file.

> Also (the probably really dumb one ;)): how do I obtain these
> certificates? Ask the CAs? Or export them from the browser (I've not
> found this option in Firefox).
> Advise is appreciated.

Extracting them from a browser has been done:


I don't recommend shipping these CAs as "trusted" CAs without verifying
them though.  It is generally safest to ask users to install the CAs
they trust manually.


More information about the Gnutls-help mailing list