Re: Problems handling X.509 certificates

[lfinsto]

"Daniel Kahn Gillmor" <address@hidden> wrote:
Date:    Thu, November 26, 2009 4:14 pm

Thank you both for your answers.  It's not really necessary for me to send
more than one certificate.  However, it is necessary for the client to be
able to send proxies.  Does this mean that the certificates which are used
to create the proxies must be "registered" as trusted in the server?

> On 11/26/2009 09:18 AM, Simon Josefsson wrote:
>> The TLS protocol only allow clients to send one X.509 certificate to
the
>> server.  I suspect that if you need to send two client certificates,
something is wrong with your architecture.
>

One reason I wanted to try verifying a certificate chain using the library
functions was because of a problem I'm having with the actual certificates
I need to use.  Verification works in the client and server programs when
I use certificates generated by `certtool', but it fails when I use my
certificate from the DFN (Deutsches Forschungsnetz
(http://www.pki.dfn.de/index.php?id=gridroot) and its root certificate. 
However, it does work to verify them using `certtool -e'.  Does anyone
have an idea what the reason for this could be?

> Laurence, if this is what you're trying to do, i don't think you want to
call gnutls_certificate_set_x509_key_file twice.  What you want to do is
to put the ordered certificates (end-entity cert, followed by successive
CA certs) in file A, and then the private key in a file B (only the
end-entity's private key -- there's no need to have the private key for
any intermediate CA).  then call gnutls_certificate_set_x509_key_file
once, pointing to A and B.

Thank you.  It wasn't clear to me that certificates could be concatenated
in a single file.

> hope this helps clear up confusion.

Thanks again for your help.

Laurence

DFN-VereinPCAGrid-G01.pem
Description: application/x509-ca-cert