Problems handling X.509 certificates

Simon Josefsson simon at josefsson.org
Mon Nov 30 19:03:07 CET 2009


lfinsto at gwdg.de writes:

> Thank you both for your answers.  It's not really necessary for me to send
> more than one certificate.  However, it is necessary for the client to be
> able to send proxies.

You mean proxy certs (RFC 3820)?  Then that shouldn't be a problem --
they are part of the client cert chain that traces back to the CA.  I
believe this is how you are supposed to use proxy certs.

> Does this mean that the certificates which are used to create the
> proxies must be "registered" as trusted in the server?

GnuTLS will need to be teached about how to verify cert chains involving
proxy certs.  I suspect it will refuse validation now, since the end
entity cert signs the proxy certs but doesn't have CA=false.  Unless
someone has added support for validating proxy certs to GnuTLS when I
didn't look...

> One reason I wanted to try verifying a certificate chain using the library
> functions was because of a problem I'm having with the actual certificates
> I need to use.  Verification works in the client and server programs when
> I use certificates generated by `certtool', but it fails when I use my
> certificate from the DFN (Deutsches Forschungsnetz
> (http://www.pki.dfn.de/index.php?id=gridroot) and its root certificate. 
> However, it does work to verify them using `certtool -e'.  Does anyone
> have an idea what the reason for this could be?

Not sure -- we'd need to see the entire certificate chain to be able to
debug it.

>> Laurence, if this is what you're trying to do, i don't think you want to
> call gnutls_certificate_set_x509_key_file twice.  What you want to do is
> to put the ordered certificates (end-entity cert, followed by successive
> CA certs) in file A, and then the private key in a file B (only the
> end-entity's private key -- there's no need to have the private key for
> any intermediate CA).  then call gnutls_certificate_set_x509_key_file
> once, pointing to A and B.
>
> Thank you.  It wasn't clear to me that certificates could be concatenated
> in a single file.

Right, I have improved the documentation:

http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=2ae95bfe200b6a39bd3908bf5b74f84c643bd5e3

Thanks,
/Simon





More information about the Gnutls-help mailing list