Problems handling X.509 certificates

lfinsto at lfinsto at
Mon Nov 30 10:13:30 CET 2009

"Daniel Kahn Gillmor" <dkg at> wrote:
Date:    Thu, November 26, 2009 4:14 pm

Thank you both for your answers.  It's not really necessary for me to send
more than one certificate.  However, it is necessary for the client to be
able to send proxies.  Does this mean that the certificates which are used
to create the proxies must be "registered" as trusted in the server?

> On 11/26/2009 09:18 AM, Simon Josefsson wrote:
>> The TLS protocol only allow clients to send one X.509 certificate to
>> server.  I suspect that if you need to send two client certificates,
something is wrong with your architecture.

One reason I wanted to try verifying a certificate chain using the library
functions was because of a problem I'm having with the actual certificates
I need to use.  Verification works in the client and server programs when
I use certificates generated by `certtool', but it fails when I use my
certificate from the DFN (Deutsches Forschungsnetz
( and its root certificate. 
However, it does work to verify them using `certtool -e'.  Does anyone
have an idea what the reason for this could be?

> Laurence, if this is what you're trying to do, i don't think you want to
call gnutls_certificate_set_x509_key_file twice.  What you want to do is
to put the ordered certificates (end-entity cert, followed by successive
CA certs) in file A, and then the private key in a file B (only the
end-entity's private key -- there's no need to have the private key for
any intermediate CA).  then call gnutls_certificate_set_x509_key_file
once, pointing to A and B.

Thank you.  It wasn't clear to me that certificates could be concatenated
in a single file.

> hope this helps clear up confusion.

Thanks again for your help.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: DFN-VereinPCAGrid-G01.pem
Type: application/x-x509-ca-cert
Size: 1615 bytes
Desc: not available
URL: </pipermail/attachments/20091130/72393b69/attachment.crt>

More information about the Gnutls-help mailing list