Help needed with x.509 certificate

Rebel Neurofog rebelneurofog at gmail.com
Fri Nov 18 16:01:07 CET 2011 

> This may seem like a dumb question, but are you calling
> gnutls_certificate_allocate_credentials() properly?
>
> Not sure it will help, but here is a functioning async certificate
> (client+server) implementation that I wrote some time ago that may provide
> some clues:
> https://svn.enlightenment.org/svn/e/trunk/ecore/src/lib/ecore_con/ecore_con_ssl.c
>
> --
> Mike Blumenkrantz
> Zentific: Doctor recommended, mother approved.
>

Thanks for suggestions. I've checked all that.
So I'm beginning to think that I actually have incorrectly generated
all the PEM stuff.
Here's the code (I suppose there's something stupid there):

# CA
certtool --generate-privkey --outfile ca-key.pem
certtool --generate-self-signed --load-privkey ca-key.pem --outfile
ca-cert.pem --template ca.cfg

# Server cert
certtool --generate-privkey --outfile server-key.pem
certtool --generate-request --load-privkey server-key.pem --outfile
server-request.pem --template server.cfg
certtool --generate-certificate --load-request server-request.pem
--outfile server-cert.pem --load-ca-certificate ca-cert.pem \
   --load-ca-privkey ca-key.pem --template ca-server.cfg

# Client cert
certtool --generate-privkey --outfile client-key.pem
certtool --generate-request --load-privkey client-key.pem --outfile
client-request.pem --template client.cfg
certtool --generate-certificate --load-request client-request.pem
--outfile client-cert.pem --load-ca-certificate server-cert.pem \
   --load-ca-privkey server-key.pem --template sv-client.cfg

Yet I still don't understand how client certificate is distinguished
from server certificate
(at least in non-www cases where no "tls_www_client" and
"tls_www_server" entries are used in templates)

Say, the CA signed a server certificate. If server certificate have
authority to sign certificate then the server
can sign client certificates. But why then client certificates can't
be used as server?

And also which trust file have to be used by
'gnutls_certificate_set_x509_trust_file ()' on client side
and which one on server?

Best regards,
Neurofog

More information about the Gnutls-help mailing list