Re: Multi root certs support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On 11 Mar 2022, at 8:49 am, Tomas Mraz <tomas@xxxxxxxxxxx> wrote:
> 
> Yes, this is a fully supported scenario.
> 
> You can even test it with the openssl s_server command - use -cert, -
> key, and -cert_chain for the first certificate and -dcert, -dkey, and -
> dcert_chain with the second one.

Note that with e.g. SMTP, where some sites also publish DANE
TLSA records, when multiple certificates are configured, multiple
corresponding TLSA records need to be published:

 https://mail.sys4.de/pipermail/dane-users/2017-August/000416.html
 https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html

At the API level you can call `SSL_CTX_use_cert_and_key(3)` multiple
times, once per algorithm.  If `replace` is zero and keys for the same
algorithm are provided more than once an error is reported.  For example:

  https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_certkey.c#L152-L181
  https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_use_cert_and_key.html

The keys, cert and chain are copied by OpenSSL, so you need to free your
copy when no longer needed.

-- 
	Viktor.





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux