Load CA Certificate to OpenSSL

Question

As we know while creating an SSL connection using openssl api's, we creates an SSL_CTX context object in which all certificates and keys are loaded.

To set up Peer Verification, we load the CA Certificate using SSL_CTX_load_verify_locations api (CA is stored in a file)

But now in my case CA is not in file, i have a X509 *issuerCert. Now how to set this issuerCert in SSL_CTX object ?

I found this :- C++/OpenSSL: Use root CA from buffer rather than file (SSL_CTX_load_verify_locations)

In above solution we are creating an X509_STORE * using SSL_CTX_get_cert_store and finally add the X509 *issuerCert in it.

Now i am confused here, since adding this cert to X509_STORE * add it in store only, how that cert information will be linked to SSL_CTX ?

Since ultimately we pass SSL_CTX to SSL_connect where all verification(handshaking) happens behind the scenes. So how that CA cert info will reach to SSL_connect when using SSL_CTX_get_cert_store instead of SSL_CTX_load_verify_locations ?

score 2 · Accepted Answer · answered Jul 30 '16 at 01:00

In above solution we are creating an X509_STORE * using SSL_CTX_get_cert_store and finally add the X509 *issuerCert in it.

You are not "creating" the cert store using SSL_CTX_get_cert_store. You are getting a pointer to the cert store which is part of the SSL_CTX. Any updates to the cert store will be reflected in the SSL_CTX. Note, that the API has the following syntax, which takes the SSL_CTX as an argument:

X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx);

Thanx. Please see if you can help me here [link](http://stackoverflow.com/questions/38655411/how-to-convert-x509-certificate-to-stack-ofx509-name/38662865#38662865) — User1234, Jul 30 '16 at 17:21

Load CA Certificate to OpenSSL

1 Answers1