Help needed with x.509 certificate

Nikos Mavrogiannopoulos nmav at
Fri Nov 18 18:38:52 CET 2011

On 11/18/2011 04:01 PM, Rebel Neurofog wrote:

> Yet I still don't understand how client certificate is distinguished
> from server certificate
> (at least in non-www cases where no "tls_www_client" and
> "tls_www_server" entries are used in templates)
> Say, the CA signed a server certificate. If server certificate have
> authority to sign certificate then the server
> can sign client certificates. But why then client certificates can't
> be used as server?

Welcome to the X.509 world. Certificates are being distinguished by the
extensions they are tagged with. I.e. you can tag the certificate as a
CA or not (using X.509v3 extensions). If you don't use the
tls_www_server then the only way to distinguish server from client
certificates are the text fields of the distinguished name.

> And also which trust file have to be used by
> 'gnutls_certificate_set_x509_trust_file ()' on client side
> and which one on server?

There they put the CA the trust to verify their peers. If it is a common
one they put the common one.


More information about the Gnutls-help mailing list