Re: Problems handling X.509 certificates

[Simon Josefsson]

Daniel Kahn Gillmor <address@hidden> writes:

> On 11/26/2009 09:18 AM, Simon Josefsson wrote:
>> The TLS protocol only allow clients to send one X.509 certificate to the
>> server.  I suspect that if you need to send two client certificates,
>> something is wrong with your architecture.
>
> Laurence may be confused about this, and trying to send two end-entity
> certificates, in which case Simon's remarks here are correct.
>
> But a gnutls client may also offer intermediate certificate authority
> certificates (to bridge the gap from the server's announced root CAs to
> the client's end-entity certificate).
>
> In that case, the spec certainly allows the client to inject multiple
> certificates in the certificate_list structure, with the (maybe
> not-so-clear) intention of giving the server a chained trust path to the
> client's own certificate:
>
>  http://tools.ietf.org/html/rfc5246#section-7.4.2
>
> Laurence, if this is what you're trying to do, i don't think you want to
> call gnutls_certificate_set_x509_key_file twice.  What you want to do is
> to put the ordered certificates (end-entity cert, followed by successive
> CA certs) in file A, and then the private key in a file B (only the
> end-entity's private key -- there's no need to have the private key for
> any intermediate CA).  then call gnutls_certificate_set_x509_key_file
> once, pointing to A and B.
>
> hope this helps clear up confusion.

Thank you, I hope that helps in case Laurence wanted to provide two
certs from the same chain to the server.

/Simon