passf...@googlemail.com > I use SSL_ConfigSecureServer with a certificate which was created in > memory (no db). The certificate was created with the > CERT_CreateCertificate passing the CA's issuer. The same cert was > also signed with the CA's key. The CA cert was also created on the > fly, i.e. without the need to setup a DB. My understandings are that > SSL_ConfigSecureServer will extract the chain from the certificate > using CERT_CertChainFromCert but since at no stage I am somehow > embeding the CA into the resulting cert how is this going to work? > > I am not sure if it is possible to embed the CA cert data in the cert > created by CERT_CreateCertificate. If this is possible, can you > point me to an example how this is done?
Every time you create a CERTCertificate object, NSS adds the certificate to a hidden global hash table in memory, keyed by the subject name. When doing certificate path building (CERT_CertChainFromCert, CERT_VerifyCert, et al.) NSS looks up the issuer names in that global hash table. Consequently, as long as you have a reference to the CERTCertificate for the certs in the cert chain at the time libssl calls CERT_CertChainFromCert, libssl will be able to construct the cert chain correctly. Cheers, Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
