On 15/09/2015 08:28, Rene Bartsch wrote: > Hi, > > how does OpenSSL scan/parse the certificate store? > > Does it look for specific directory-/filenames (e.g. CA-identity = > <filename>.crt) or does it just parse ALL files in the certificate store? > See the documentation of the c_rehash program. Basically there are two alternative methods: A) (preferred): For each certificiate, there is a symlink from a (weak) checksum of the CA identity to <filename>.pem (Example: 17b51fe6.0 -> Certplus_Class_2_Primary_CA.pem). If more than one CA ends up with the same checksum, the additional links are given increasing numeric suffic, and OpenSSL will try them one by one. Because older OpenSSL versions used a different checksum formula, it is sometimes useful to set up both sets of symlinks. B) (preloaded): All the CA certificates (in PEM format) are concatenated into a giant certificates.pem file which is loaded into memory at OpenSSL start up, this is especially useful if the process will chroot() into a directory that doesn't contain the certificates. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150915/c1e52b7e/attachment.html>
