0

I have own set of trusted certificates. I want OpenSSL to trust them only for domain names in given by me domains set.

i.e., I need a trusted set of certificates active only for the given set of domains. In my application, all kind of domains could be used, so I can not just change OpenSSL configuration to use only this alternative certificate bundle.

In other words, suppose I have standard certificate bundle from my operating system (Actually, Fedora 37), and I want this exact set

website1.com, website2.com, website3.com

to be trusted if they have certificate in chain, signed by certificate in separate bundle provided by me (or by system certificate bundle). And all other domains (like google.com) to be validated using only by the system bundle.

Hope explained in details.

I tried reading documentation and random googling. Nothing helped.

socketpair
  • 1,893
  • 17
  • 15
  • Run `openssl version -d`. Confirm you don't have a `cert.pem` file nor a `certs` sub-folder located in that directory. Then create multiple `cacert.pem` files to suit your CA trust needs, and use a liberal dose of `-CAfile` arguments when calling `openssl s_client` and `openssl verify`. Related: [1](https://stackoverflow.com/a/25169323/11609403), [2](https://stackoverflow.com/a/47865452/11609403), [3](https://www.happyassassin.net/posts/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/) – leeharvey1 Feb 05 '23 at 20:50
  • @leeharvey1 thanks, but I mean OpenSSL library used in applications, like Squid, not the openssl command. – socketpair Feb 07 '23 at 03:14
  • Systems do not store/save individual leaf certificates. The TLS protocol receives the certificate over the wire and validates it. You can only affect the trusted root and intermediate CA certificates. If your goal is to create a man-in-the-middle proxy, state that in your question. – John Hanley Jun 29 '23 at 06:43

0 Answers0