Difference between x509_store_add_cert & ssl_ctx_use_certificate?

1
votes

I'm trying to load multiple certificates into an SSL_CTX.

Looking at the documentation, I was able to establish SSL connection using these 2 ways:

  1. Create an X509_STORE, add certificates to the store, and then load the cert store into the SSL_CTX using SSL_CTX_set_cert_store.
  2. Call SSL_CTX_use_certificate(ctx, cert) multiple times

Is there a difference between these two? I saw on StackOverflow somewhere that SSL_CTX_use_certificate does not work with self signed certs? (Loading CA certificate from memory) Why? I don't see this on the documentation anywhere. (What does it mean to be self signed?)

*also for #2, does calling SSL_CTX_use_certificate multiple times replace the existing certificate? Would I need to call SSL_CTX_add_extra_chain_cert?

1
c++sslopenssl
"What does it mean to be self signed?" Any certificate is signed. The signature is computed by another certificate (more precisely by the private key attached to some other certificate). A public global certificate is signed by a known CA (with possible intermediate certificates). A local certificate is signed by itself, it acts as its own CA, and that one can be generated by anyone anytime. So it is self signed.Patrick Mevzek

1 Answers

3
votes

The X509_STORE is used for building the certificate trust chain during certificate validation. Thus, any certificates added by X509_STORE_add_cert are used when validating the peer certificate.

SSL_CTX_use_certificate instead is used to set the local certificate used for authentication against the peer, i.e. this is to set the server certificate at the server and the client certificate at the client. It must be accompanied by a function to set the private key, like SSL_CTX_use_PrivateKey. SSL_CTX_use_certificate can be called multiple times and will either replace the existing certificate or add another one: i.e. one might have both an RSA and a ECDSA certificate at the same time with newer versions of OpenSSL.

SSL_CTX_use_certificate does not work with self signed certs?

OpenSSL does not care if the certificate is self-signed or not when using SSL_CTX_use_certificate. The communication peer which receives the certificate as authentication will hopefully care though and might complain since no local trust anchor is found to validate the certificate.