1

I have a project where at the end we will use commercial SSL certificate. However during the development I must use demo CA. I have successfully created a CA with the following simple command:

openssl req -out ca.pem -new -x509 -days 365

I can use the certificates signed by that CA, if I import it at the OS level by e.g. update-ca-certificates .

I have two problems with it. The same C++ programs using SSL should run on debian and on a gentoo embedded linux as well. On the embedded linux I don't have the update-ca-certificates or similar tool to import the CA. On the other hand it would also be much better for me, if the CA could be part of the project without OS level importing. So my question is whether it is possible to accept/import the CA in the C++ program runtime? How to do that?

I've found the following related API functions:

void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list);
void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list);
int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *cacert);
int SSL_add_client_CA(SSL *ssl, X509 *cacert);

It seems, that this is for the client side. I want to use server and client side certificates as well. Both will be signed with the same CA. How to do that?

If it is hard to get the C++ OpenSSL accept an own CA, then how to import it at OS level. I've found https://wiki.gentoo.org/wiki/Local_certificates , but this is a very small embedded gentoo linux without update-ca-certificates and emerge tools.

quantummind
  • 2,086
  • 1
  • 14
  • 20
  • Also see [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) You will also need to place the self-signed certificate in the appropriate trust store. – jww Aug 08 '17 at 11:47
  • @jww This is not helpful for me. Can you answer how to say in C++ to accept CA, or how to import own CA without update-ca-certificates or similar tool on a very small embedded linux having OpenSSL? – quantummind Aug 08 '17 at 17:22
  • OpenSSL does not know about OS trust stores; and it does not use `update-ca-certificates`. By default, OpenSSL trusts nothing. In your OpenSSL program, you load the Root CA into with `SSL_load_verify_locations` or `SSL_CTX_load_verify_locations`. Also see [SSL/TLS Client](https://wiki.openssl.org/index.php/SSL/TLS_Client) on the OpenSSL wiki. The links in the first comment show you how to issue certificates with your Root CA. "Your Root CA" is the demo CA you are asking about. – jww Aug 08 '17 at 20:04

0 Answers0