[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Help needed with x.509 certificate
From: |
Nikos Mavrogiannopoulos |
Subject: |
Re: Help needed with x.509 certificate |
Date: |
Fri, 18 Nov 2011 18:38:52 +0100 |
User-agent: |
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20111010 Icedove/3.1.15 |
On 11/18/2011 04:01 PM, Rebel Neurofog wrote:
> Yet I still don't understand how client certificate is distinguished
> from server certificate
> (at least in non-www cases where no "tls_www_client" and
> "tls_www_server" entries are used in templates)
> Say, the CA signed a server certificate. If server certificate have
> authority to sign certificate then the server
> can sign client certificates. But why then client certificates can't
> be used as server?
Welcome to the X.509 world. Certificates are being distinguished by the
extensions they are tagged with. I.e. you can tag the certificate as a
CA or not (using X.509v3 extensions). If you don't use the
tls_www_server then the only way to distinguish server from client
certificates are the text fields of the distinguished name.
> And also which trust file have to be used by
> 'gnutls_certificate_set_x509_trust_file ()' on client side
> and which one on server?
There they put the CA the trust to verify their peers. If it is a common
one they put the common one.
regards,
Nikos
Re: Help needed with x.509 certificate, Nikos Mavrogiannopoulos, 2011/11/18