2 Jul 18:22
Re: adding trusted CAs
From: Simon Josefsson <simon <at> josefsson.org>
Subject: Re: adding trusted CAs
Newsgroups: gmane.network.gnutls.general
Date: 2008-07-02 16:22:07 GMT
Subject: Re: adding trusted CAs
Newsgroups: gmane.network.gnutls.general
Date: 2008-07-02 16:22:07 GMT
"Rainer Gerhards" <rgerhards <at> gmail.com> writes: > Hi all, > > this is probably an exceptionally dumb question, but... ;) > > I would like to ship a number of trusted roots with the default > rsyslog install - much like web browsers do. The idea is that I would > like to be able to automatically verify certificates that have been > obtained by one of those well-known CA. > > Question now: how do I do that? Do I simply add the certificate blocks > into a single big .pem file? Or do I need to supply multiple files. Yes, that is typically the simplest. The gnutls_certificate_set_x509_trust_file function will read multiple CAs from a file. > Also (the probably really dumb one ;)): how do I obtain these > certificates? Ask the CAs? Or export them from the browser (I've not > found this option in Firefox). > > Advise is appreciated. Extracting them from a browser has been done: http://curl.haxx.se/docs/caextract.html I don't recommend shipping these CAs as "trusted" CAs without verifying them though. It is generally safest to ask users to install the CAs they trust manually. /Simon
RSS Feed