From owner-freebsd-questions@FreeBSD.ORG Fri Apr 2 17:34:41 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D352F106566B for ; Fri, 2 Apr 2010 17:34:41 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 4516D8FC14 for ; Fri, 2 Apr 2010 17:34:41 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.4/8.14.4) with ESMTP id o32HYZB9074376 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Fri, 2 Apr 2010 18:34:36 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) Message-ID: <4BB62AAB.6040905@infracaninophile.co.uk> Date: Fri, 02 Apr 2010 18:34:35 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 MIME-Version: 1.0 To: Adam Vande More References: <20100402110430.13bcdc03@scorpio.seibercom.net> In-Reply-To: X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.95.3 at happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,DKIM_ADSP_ALL, SPF_FAIL autolearn=no version=3.3.0 X-Spam-Checker-Version: SpamAssassin 3.3.0 (2010-01-18) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: Combining SSL certificates X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Apr 2010 17:34:41 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/04/2010 17:19:02, Adam Vande More wrote: > On Fri, Apr 2, 2010 at 9:04 AM, Jerry wrote: > >> Is it possible to combine all of the certificates in a chain into one >> *.pem file? >> >> EXAMPLE: >> >> openssl s_client -connect imap.gmail.com:993 -crlf -showcerts >> >> This would show, in this case anyway, two certificates. Could I combine >> both certs into on file, example: gmail-imap.pem and then run >> 'c_rehash' on the file or do I have to save both certs in separate >> files to complete the chain? >> > > Doesn't it work to simply concatenate pem's together? I was my > understanding it was possible to do that, but perhaps order of concatenation > matters. So make sure you're dealing with pem's and cat together with root > being last and I think it should work. Depends on the application I think. Some applications like SSL key and cert in the same file. Some applications want them separate. Some applications like SSL Certs and all of the CA-Cert keys used to sign it concatenated together; others like separate files for CA-Certs; yet others only want CA Certs which aren't from one of the well-known root CAs. Can't say as I've ever run into an app that likes several different keys or certs in the same file [well, except for Java keystores, but in that case the appropriate response is to scream and run away very quickly] You pays your money, and you takes your choice. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAku2KqsACgkQ8Mjk52CukIzvPACfSvTA+XgWmJF0Fl6g36y5UJPc U0oAn0lmHLo1FUdzMV/Tj4DmZ7JqTJ13 =U+kz -----END PGP SIGNATURE-----