> On Dec 12, 2015, at 4:23 PM, Dominik Mahrer (Teddy) <teddy at teddy.ch> wrote: > > How can I set up a bundle of commercial root CA certificates? > Exactly this the same question I found as FAQ # 16 (User). But as answer there is only explained that openssl will not serve a bundle. But it is not explained how to set up a bundle - but exactly this I would like to know. To populate OpenSSL's trust-anchor set (which ships empty), you first need to determine the OpenSSL configuration directory, which is reported by (e.g. on my NetBSD system): $ openssl version -d OPENSSLDIR: "/usr/pkg/etc/openssl" OpenSSL looks for certificates at that location, specifically: X509_CERT_DIR OPENSSLDIR "/certs" X509_CERT_FILE OPENSSLDIR "/cert.pem" In other words, you can concatenate all the trusted root CA certs into the "cert.pem" file in that directory, but this has a performance cost, as all the certificates are loaded into memory and parse even though most go unused. Alternatively, you can put one certificate per-file into the "certs/" sub-directory, and run c_rehash, to create the necessary symlinks that it possible for OpenSSL to find the certificate for a given issuer DN. Some O/S distributions automatically populate the above file and/or directory as part of installing OpenSSL, with whatever trust-anchors (root CAs) they think are broadly applicable. OpenSSL upstream does not make that choice. -- Viktor.
