Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

CA cert in DER format usage

190 views
Skip to first unread message

sudeepta

unread,
Mar 16, 2009, 9:35:11 AM3/16/09
to

Hi,

I am writing a server application which is supposed to use certificates/keys
in DER format only. In my code, I am using the following functions for
loading the server certificate and its private key respectively.

SSL_CTX_use_certificate_file(pSSLCtx,"server.cer",SSL_FILETYPE_ASN1) and
SSL_CTX_use_PrivateKey_file(pSSLCtx,"key.cer",SSL_FILETYPE_ASN1)

The root CA file for the client certificate is also in DER format (i.e.
rootCA.cer).I am having trouble loading this certificate for client
verification. I initially tried using the following function :
SSL_CTX_load_verify_locations()
But it seems it is only applicable for PEM formats only.

Is there any other function which uses ASN1/DER format? Or do i have to
convert the root CA file into PEM format before using?

Thanks in advance..


Regards
Sudeepta


--
View this message in context: http://www.nabble.com/CA-cert-in-DER-format-usage-tp22537600p22537600.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Victor Duchovni

unread,
Mar 16, 2009, 10:19:44 AM3/16/09
to
On Mon, Mar 16, 2009 at 06:00:13AM -0700, sudeepta wrote:

> I am writing a server application which is supposed to use certificates/keys
> in DER format only.

Why? Any why not convert any provided DER to PEM and use that?

> In my code, I am using the following functions for
> loading the server certificate and its private key respectively.
>
> SSL_CTX_use_certificate_file(pSSLCtx,"server.cer",SSL_FILETYPE_ASN1) and

If you read the manpage for this function, you'll see:

SSL_CTX_use_certificate() loads the certificate x into ctx,
SSL_use_certificate() loads x into ssl. The rest of the certificates
needed to form the complete certificate chain can be specified using
the SSL_CTX_add_extra_chain_cert(3) function.

...

SSL_CTX_use_certificate_chain_file() adds the first certificate found
in the file to the certificate store. The other certificates are added
to the store of chain certificates using
SSL_CTX_add_extra_chain_cert(3). There exists only one extra chain
store, so that the same chain is appended to both types of certifi-
cates, RSA and DSA! If it is not intended to use both type of certifi-
cate at the same time, it is recommended to use the SSL_CTX_use_cer-
tificate_chain_file() instead of the SSL_CTX_use_certificate_file()
function in order to allow the use of complete certificate chains even
when no trusted CA storage is used or when the CA issuing the certifi-
cate shall not be added to the trusted CA storage.

> Is there any other function which uses ASN1/DER format? Or do i have to
> convert the root CA file into PEM format before using?

It is much easier to work with PEM. Convert both certs into PEM and put
them into a single file in the right order.

--
Viktor.

Kyle Hamilton

unread,
Mar 16, 2009, 3:47:13 PM3/16/09
to
SSL_FILETYPE_ASN1 should handle DER format. SSL_FILETYPE_PEM should
handle PEM format. If it does not, it's a bug.

Which version of the OpenSSL library are you using?

-Kyle H

On Mon, Mar 16, 2009 at 6:00 AM, sudeepta <sudee...@yahoo.co.in> wrote:
>
> Hi,
>
> I am writing a server application which is supposed to use certificates/k=
eys
> in DER format only. In my code, I am using the following functions for


> loading the server certificate and its private key respectively.
>
> SSL_CTX_use_certificate_file(pSSLCtx,"server.cer",SSL_FILETYPE_ASN1) and

> SSL_CTX_use_PrivateKey_file(pSSLCtx,"key.cer",SSL_FILETYPE_ASN1)
>
> The root CA file for the client certificate is also in DER format (i.e.
> rootCA.cer).I am having trouble loading this certificate for client
> verification. I initially tried using the following function :
> SSL_CTX_load_verify_locations()
> But it seems it is only applicable for PEM formats only.
>

> Is there any other function which uses ASN1/DER format? Or do i have to
> convert the root CA file into PEM format before using?
>

> Thanks in advance..
>
>
> Regards
> Sudeepta
>
>
>
>
> --

> View this message in context: http://www.nabble.com/CA-cert-in-DER-format=


-usage-tp22537600p22537600.html
> Sent from the OpenSSL - User mailing list archive at Nabble.com.
> ______________________________________________________________________

> OpenSSL Project =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 http://www.openssl.=
org
> User Support Mailing List =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0opens...@openssl.org
> Automated List Manager =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 majo...@openssl.org

Kyle Hamilton

unread,
Mar 16, 2009, 3:59:05 PM3/16/09
to
Actually, I'm perhaps a bit wrong.

Open the file containing the DER representation of the certificate,
read the file to its end, get the length that you read, close the
file, and then SSL_CTX_use_certificate_ASN1(sslctx, len, derbuffer);.

-Kyle H

On Mon, Mar 16, 2009 at 12:46 PM, Kyle Hamilton <aero...@gmail.com> wrote:
> SSL_FILETYPE_ASN1 should handle DER format. =C2=A0SSL_FILETYPE_PEM should
> handle PEM format. =C2=A0If it does not, it's a bug.


>
> Which version of the OpenSSL library are you using?
>
> -Kyle H
>
> On Mon, Mar 16, 2009 at 6:00 AM, sudeepta <sudee...@yahoo.co.in> wrote:
>>
>> Hi,
>>

>> I am writing a server application which is supposed to use certificates/=
keys


>> in DER format only. In my code, I am using the following functions for
>> loading the server certificate and its private key respectively.
>>
>> SSL_CTX_use_certificate_file(pSSLCtx,"server.cer",SSL_FILETYPE_ASN1) and
>> SSL_CTX_use_PrivateKey_file(pSSLCtx,"key.cer",SSL_FILETYPE_ASN1)
>>
>> The root CA file for the client certificate is also in DER format (i.e.
>> rootCA.cer).I am having trouble loading this certificate for client
>> verification. I initially tried using the following function :
>> SSL_CTX_load_verify_locations()
>> But it seems it is only applicable for PEM formats only.
>>
>> Is there any other function which uses ASN1/DER format? Or do i have to
>> convert the root CA file into PEM format before using?
>>
>> Thanks in advance..
>>
>>
>> Regards
>> Sudeepta
>>
>>
>>
>>
>> --

>> View this message in context: http://www.nabble.com/CA-cert-in-DER-forma=
t-usage-tp22537600p22537600.html

Dave Thompson

unread,
Mar 16, 2009, 9:35:12 PM3/16/09
to
> From: owner-ope...@openssl.org On Behalf Of sudeepta
> Sent: Monday, 16 March, 2009 08:00

> I am writing a server application which is supposed to use

> certificates/keys


> in DER format only. In my code, I am using the following functions for
> loading the server certificate and its private key respectively.
>
> SSL_CTX_use_certificate_file(pSSLCtx,"server.cer",SSL_FILETYPE_ASN1) and
> SSL_CTX_use_PrivateKey_file(pSSLCtx,"key.cer",SSL_FILETYPE_ASN1)
>

Others have answered about this part.

> The root CA file for the client certificate is also in DER format (i.e.
> rootCA.cer).I am having trouble loading this certificate for client
> verification. I initially tried using the following function :
> SSL_CTX_load_verify_locations()
> But it seems it is only applicable for PEM formats only.
>

Apparently it is indeed.



> Is there any other function which uses ASN1/DER format? Or do i have to
> convert the root CA file into PEM format before using?
>

There doesn't appear to be any similar SSL-level wrapping.

SSL_CTX_load_verify_locations just calls X509_STORE_load_locations
to put the cert(s) from the file, and/or the dirname(s?) (only)
from the path, in X509_LOOKUP object(s) under the X509_STORE object
pointed to by SSL_CTX->cert_store, which is used for verification.

If your root is (or roots are) static, I think you can do the equivalent
'by hand'; either get the pointer from SSL_CTX_get_cert_store, and add
a LOOKUP_file into which your cert(s) are loaded; or create an X509_STORE
with a loaded LOOKUP_file, and SSL_CTX_set_cert_store it (threadsafe?).

If you want the (dynamic) search-in-dir behavior of CA_path,
it appears you can do the same thing with a LOOKUP_hash_dir,
but I didn't trace it fully; this area is complicated.
And the distributed c_rehash wouldn't set up a hashdir
for DER files, so you'll need to modify or replace that.

sudeepta

unread,
Mar 17, 2009, 7:56:23 AM3/17/09
to

Thanks Dave

I tried your "by hand" method and it worked.

Regards
Sudeepta

sudeepta wrote:
>
> Hi,


>
> I am writing a server application which is supposed to use
> certificates/keys in DER format only. In my code, I am using the following
> functions for loading the server certificate and its private key
> respectively.
>
> SSL_CTX_use_certificate_file(pSSLCtx,"server.cer",SSL_FILETYPE_ASN1) and
> SSL_CTX_use_PrivateKey_file(pSSLCtx,"key.cer",SSL_FILETYPE_ASN1)
>

> The root CA file for the client certificate is also in DER format (i.e.
> rootCA.cer).I am having trouble loading this certificate for client
> verification. I initially tried using the following function :
> SSL_CTX_load_verify_locations()
> But it seems it is only applicable for PEM formats only.
>

> Is there any other function which uses ASN1/DER format? Or do i have to
> convert the root CA file into PEM format before using?
>

> Thanks in advance..
>
>
> Regards
> Sudeepta
>
>
>
>
>

--
View this message in context: http://www.nabble.com/CA-cert-in-DER-format-usage-tp22537600p22553036.html


Sent from the OpenSSL - User mailing list archive at Nabble.com.

0 new messages