Randomly Named User Randomly Named User - 11 days ago 7
C Question

openSSL: How to create a CAfile

I want the client to send the server a certificate. Now, I'd like to use code that looks like this:

SSL_CTX *ctx;
STACK_OF(X509_NAME) *cert_names;
...
cert_names = SSL_load_client_CA_file("/path/to/CAfile.pem");
if (cert_names != NULL)
SSL_CTX_set_client_CA_list(ctx, cert_names);
else
error_handling();
...


But how do I create a CAfile? Also, if I want to specify only one particular CA, what command do I use to send that?

I've read up on
SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *list);
, but I don't know how to obtain that
*list
parameter. In this case, I have only 1 single CA.

Answer

Normally you'd do something like:

SSL_CTX_set_client_CA_list(CTX, SSL_load_client_CA_file("/path/to/cacert.crt"));

I'm not quite sure what you mean by "how do I create a CAfile". The CA certificate is the public certificate of the certificate authority that has signed the client certificate. Either you signed it (in which case you must be the CA and will have the certificate), or a third party did, in which case it will be in the list of trusted certificates on your system (on Ubuntu, for instance, its in /etc/ssl/certs).