Problems handling X.509 certificates

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Nov 26 16:14:06 CET 2009


On 11/26/2009 09:18 AM, Simon Josefsson wrote:
> The TLS protocol only allow clients to send one X.509 certificate to the
> server.  I suspect that if you need to send two client certificates,
> something is wrong with your architecture.

Laurence may be confused about this, and trying to send two end-entity
certificates, in which case Simon's remarks here are correct.

But a gnutls client may also offer intermediate certificate authority
certificates (to bridge the gap from the server's announced root CAs to
the client's end-entity certificate).

In that case, the spec certainly allows the client to inject multiple
certificates in the certificate_list structure, with the (maybe
not-so-clear) intention of giving the server a chained trust path to the
client's own certificate:

 http://tools.ietf.org/html/rfc5246#section-7.4.2

Laurence, if this is what you're trying to do, i don't think you want to
call gnutls_certificate_set_x509_key_file twice.  What you want to do is
to put the ordered certificates (end-entity cert, followed by successive
CA certs) in file A, and then the private key in a file B (only the
end-entity's private key -- there's no need to have the private key for
any intermediate CA).  then call gnutls_certificate_set_x509_key_file
once, pointing to A and B.

hope this helps clear up confusion.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 891 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20091126/2bf864fd/attachment.pgp>


More information about the Gnutls-help mailing list