On Wed, Jul 20, 2016, Jim Carroll wrote: > Thanks much....I have a corollary question if you don't mind. In OpenSSL > 1.1.0, what is the accepted procedure to convert a STACK_OF(X509) to DER? > It depends on what you mean by "to DER" and what the other ends is expecting. The code snipped I suggested will do that: if you call i2d_SEQ_CERT (or whatever you called it) that will work. That wraps the whole lot in a SEQUENCE header which is the same as the original. That is it is a SEQUENCE OF X509. > Would it be acceptable to just iterate the stack elements, passing each X509 > through i2d_X509 and appending the results -- would that generate valid DER? > Is there a better way? > It depends on what the other side expects. If you just do that that and EOF signals the and of the last certificate you'll be fine. If you append additional data afterwards then you need to mark the last certificate somehow. The certificate sequence version prepends the data with the length of all the certificates so it automatically handles that. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org