gmane.network.gnutls.general

adding trusted CAs

Hi all,

this is probably an exceptionally dumb question, but... ;)

I would like to ship a number of trusted roots with the default
rsyslog install - much like web browsers do. The idea is that I would
like to be able to automatically verify certificates that have been
obtained by one of those well-known CA.

Question now: how do I do that? Do I simply add the certificate blocks
into a single big .pem file? Or do I need to supply multiple files.

Also (the probably really dumb one ;)): how do I obtain these
certificates? Ask the CAs? Or export them from the browser (I've not
found this option in Firefox).

Advise is appreciated.

Rainer

headers

Simon Josefsson | 2 Jul 18:22

Re: adding trusted CAs

"Rainer Gerhards" <rgerhards <at> gmail.com> writes:

> Hi all,
>
> this is probably an exceptionally dumb question, but... ;)
>
> I would like to ship a number of trusted roots with the default
> rsyslog install - much like web browsers do. The idea is that I would
> like to be able to automatically verify certificates that have been
> obtained by one of those well-known CA.
>
> Question now: how do I do that? Do I simply add the certificate blocks
> into a single big .pem file? Or do I need to supply multiple files.

Yes, that is typically the simplest.  The
gnutls_certificate_set_x509_trust_file function will read multiple CAs
from a file.

> Also (the probably really dumb one ;)): how do I obtain these
> certificates? Ask the CAs? Or export them from the browser (I've not
> found this option in Firefox).
>
> Advise is appreciated.

Extracting them from a browser has been done:

http://curl.haxx.se/docs/caextract.html

I don't recommend shipping these CAs as "trusted" CAs without verifying
them though.  It is generally safest to ask users to install the CAs

(Continue reading)