I want the client to send the server a certificate. Now, I'd like to use code that looks like this:
SSL_CTX *ctx; STACK_OF(X509_NAME) *cert_names; ... cert_names = SSL_load_client_CA_file("/path/to/CAfile.pem"); if (cert_names != NULL) SSL_CTX_set_client_CA_list(ctx, cert_names); else error_handling(); ...But how do I create a CAfile? Also, if I want to specify only one particular CA, what command do I use to send that?
I've read up on SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *list);, but I don't know how to obtain that *list parameter. In this case, I have only 1 single CA.
2 Answers
You can create your own self signed CA file by using following command,
openssl req -out CA.pem -new -x509
This will generate CA.pem file and private key for the same.
Later you can create cert file and key from the generated CA.pem and private key.
Generate server Cert and key :
openssl genrsa -out server.key 1024
openssl req -key server.key -new -out server.req
openssl x509 -req -in server.req -CA CA.pem -CAkey privkey.pem -CAserial file.srl -out server.pem
similarly you can create cert and key for client.
1Normally you'd do something like:
SSL_CTX_set_client_CA_list(CTX, SSL_load_client_CA_file("/path/to/cacert.crt"));I'm not quite sure what you mean by "how do I create a CAfile". The CA certificate is the public certificate of the certificate authority that has signed the client certificate. Either you signed it (in which case you must be the CA and will have the certificate), or a third party did, in which case it will be in the list of trusted certificates on your system (on Ubuntu, for instance, its in /etc/ssl/certs).