2007-12-02

OpenSSL ate my brain

Spent 2 days on getting one code line working. Here is the bastard:

X509_STORE_set_default_paths(store);


That comes with OpenSSL library `crypto` and is supposed to set system certificate store paths to default values: `/etc/ssl/certs` for Debian/Ubuntu, Slackware/Gentoo and many others, may also be `/usr/local/ssl/certs`. But to be able to acquire the certificate out of that store, there are some other steps. Figuring them out seems to take a lot of time, at least for cryptography newbie like me.

Firstly we need to install certificate. It is self-signed certificate in my case. Make sure your default store is `/etc/ssl/certs`. If it has some other path, change the instructions accordingly.

sudo openssl x509 -in CertFilePath.pem -out /etc/ssl/certs/TrustedCertFile.pem


  • `TrustedcertFile.pem` is the file that will be created in OpenSSL certificate store.
  • `CertFilePath.pem` is the path to the certificate you want to install. If your certificate is in some other format, like CER, search Google to find out how to convert to PEM, or, alternatively, how to convert and install in one `openssl` command. This should be doable.


And now the most important part. If you are searching trusted certificates by subject -- and usually you are -- you need to create symbolic link to it. Run `ls -l /etc/ssl/certs` to look closer at the structure of the store, if you haven't done it yet. There are lots of files called `xxxxxxxx.0`, those are symbolic links I am talking about. You noticed that those names are hex numbers. They are first 4 bytes of certificate subject hash. Certificate is actually searched by its subject hash. Read it once again.

Finally, we create required symbolic link.

cd /etc/ssl/certs
sudo ln -s TrustedCertFile.pem `openssl x509 -subject_hash -in TrustedCertFile.pem -noout`.0


  • `openssl x509 -subject_hash -in TrustedCertFile.pem -noout` calculates 4 bytes of certificate subject hash.
  • Adding `.0`, we get symbolic link file name.
  • Link points to `TrustedCertFile.pem`, previosly installed in the same directory.
  • `ln -s` creates symbolic link; check `ln --help`
Now you should be able to get required trusted certificate out of store.

No comments: