Problems handling X.509 certificates
simon at josefsson.org
Mon Nov 30 19:03:07 CET 2009
lfinsto at gwdg.de writes:
> Thank you both for your answers. It's not really necessary for me to send
> more than one certificate. However, it is necessary for the client to be
> able to send proxies.
You mean proxy certs (RFC 3820)? Then that shouldn't be a problem --
they are part of the client cert chain that traces back to the CA. I
believe this is how you are supposed to use proxy certs.
> Does this mean that the certificates which are used to create the
> proxies must be "registered" as trusted in the server?
GnuTLS will need to be teached about how to verify cert chains involving
proxy certs. I suspect it will refuse validation now, since the end
entity cert signs the proxy certs but doesn't have CA=false. Unless
someone has added support for validating proxy certs to GnuTLS when I
> One reason I wanted to try verifying a certificate chain using the library
> functions was because of a problem I'm having with the actual certificates
> I need to use. Verification works in the client and server programs when
> I use certificates generated by `certtool', but it fails when I use my
> certificate from the DFN (Deutsches Forschungsnetz
> (http://www.pki.dfn.de/index.php?id=gridroot) and its root certificate.
> However, it does work to verify them using `certtool -e'. Does anyone
> have an idea what the reason for this could be?
Not sure -- we'd need to see the entire certificate chain to be able to
>> Laurence, if this is what you're trying to do, i don't think you want to
> call gnutls_certificate_set_x509_key_file twice. What you want to do is
> to put the ordered certificates (end-entity cert, followed by successive
> CA certs) in file A, and then the private key in a file B (only the
> end-entity's private key -- there's no need to have the private key for
> any intermediate CA). then call gnutls_certificate_set_x509_key_file
> once, pointing to A and B.
> Thank you. It wasn't clear to me that certificates could be concatenated
> in a single file.
Right, I have improved the documentation:
More information about the Gnutls-help