1SSL_CTX_LOAD_VERIFY_LOCATIONS(3ossl)OpenSSLSSL_CTX_LOAD_VERIFY_LOCATIONS(3ossl)
2
3
4
6 SSL_CTX_load_verify_dir, SSL_CTX_load_verify_file,
7 SSL_CTX_load_verify_store, SSL_CTX_set_default_verify_paths,
8 SSL_CTX_set_default_verify_dir, SSL_CTX_set_default_verify_file,
9 SSL_CTX_set_default_verify_store, SSL_CTX_load_verify_locations - set
10 default locations for trusted CA certificates
11
13 #include <openssl/ssl.h>
14
15 int SSL_CTX_load_verify_dir(SSL_CTX *ctx, const char *CApath);
16 int SSL_CTX_load_verify_file(SSL_CTX *ctx, const char *CAfile);
17 int SSL_CTX_load_verify_store(SSL_CTX *ctx, const char *CAstore);
18
19 int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
20
21 int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx);
22 int SSL_CTX_set_default_verify_file(SSL_CTX *ctx);
23 int SSL_CTX_set_default_verify_store(SSL_CTX *ctx);
24
25 int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
26 const char *CApath);
27
29 SSL_CTX_load_verify_locations(), SSL_CTX_load_verify_dir(),
30 SSL_CTX_load_verify_file(), SSL_CTX_load_verify_store() specifies the
31 locations for ctx, at which CA certificates for verification purposes
32 are located. The certificates available via CAfile, CApath and CAstore
33 are trusted.
34
35 Details of the certificate verification and chain checking process are
36 described in "Certification Path Validation" in
37 openssl-verification-options(1).
38
39 SSL_CTX_set_default_verify_paths() specifies that the default locations
40 from which CA certificates are loaded should be used. There is one
41 default directory, one default file and one default store. The default
42 CA certificates directory is called certs in the default OpenSSL
43 directory, and this is also the default store. Alternatively the
44 SSL_CERT_DIR environment variable can be defined to override this
45 location. The default CA certificates file is called cert.pem in the
46 default OpenSSL directory. Alternatively the SSL_CERT_FILE environment
47 variable can be defined to override this location.
48
49 SSL_CTX_set_default_verify_dir() is similar to
50 SSL_CTX_set_default_verify_paths() except that just the default
51 directory is used.
52
53 SSL_CTX_set_default_verify_file() is similar to
54 SSL_CTX_set_default_verify_paths() except that just the default file is
55 used.
56
57 SSL_CTX_set_default_verify_store() is similar to
58 SSL_CTX_set_default_verify_paths() except that just the default store
59 is used.
60
62 If CAfile is not NULL, it points to a file of CA certificates in PEM
63 format. The file can contain several CA certificates identified by
64
65 -----BEGIN CERTIFICATE-----
66 ... (CA certificate in base64 encoding) ...
67 -----END CERTIFICATE-----
68
69 sequences. Before, between, and after the certificates text is allowed
70 which can be used e.g. for descriptions of the certificates.
71
72 The CAfile is processed on execution of the
73 SSL_CTX_load_verify_locations() function.
74
75 If CApath is not NULL, it points to a directory containing CA
76 certificates in PEM format. The files each contain one CA certificate.
77 The files are looked up by the CA subject name hash value, which must
78 hence be available. If more than one CA certificate with the same name
79 hash value exist, the extension must be different (e.g. 9d66eef0.0,
80 9d66eef0.1 etc). The search is performed in the ordering of the
81 extension number, regardless of other properties of the certificates.
82 Use the c_rehash utility to create the necessary links.
83
84 The certificates in CApath are only looked up when required, e.g. when
85 building the certificate chain or when actually performing the
86 verification of a peer certificate.
87
88 When looking up CA certificates for chain building, the OpenSSL library
89 will search for suitable certificates first in CAfile, then in CApath.
90 Details of the chain building process are described in "Certification
91 Path Building" in openssl-verification-options(1).
92
93 If CAstore is not NULL, it's a URI for to a store, which may represent
94 a single container or a whole catalogue of containers. Apart from the
95 CAstore not necessarily being a local file or directory, it's generally
96 treated the same way as a CApath.
97
98 In server mode, when requesting a client certificate, the server must
99 send the list of CAs of which it will accept client certificates. This
100 list is not influenced by the contents of CAfile or CApath and must
101 explicitly be set using the SSL_CTX_set_client_CA_list(3) family of
102 functions.
103
104 When building its own certificate chain, an OpenSSL client/server will
105 try to fill in missing certificates from CAfile/CApath, if the
106 certificate chain was not explicitly specified (see
107 SSL_CTX_add_extra_chain_cert(3), SSL_CTX_use_certificate(3).
108
110 If several CA certificates matching the name, key identifier, and
111 serial number condition are available, only the first one will be
112 examined. This may lead to unexpected results if the same CA
113 certificate is available with different expiration dates. If a
114 "certificate expired" verification error occurs, no other certificate
115 will be searched. Make sure to not have expired certificates mixed with
116 valid ones.
117
119 For SSL_CTX_load_verify_locations the following return values can
120 occur:
121
122 0 The operation failed because CAfile and CApath are NULL or the
123 processing at one of the locations specified failed. Check the
124 error stack to find out the reason.
125
126 1 The operation succeeded.
127
128 SSL_CTX_set_default_verify_paths(), SSL_CTX_set_default_verify_dir()
129 and SSL_CTX_set_default_verify_file() all return 1 on success or 0 on
130 failure. A missing default location is still treated as a success.
131
133 Generate a CA certificate file with descriptive text from the CA
134 certificates ca1.pem ca2.pem ca3.pem:
135
136 #!/bin/sh
137 rm CAfile.pem
138 for i in ca1.pem ca2.pem ca3.pem ; do
139 openssl x509 -in $i -text >> CAfile.pem
140 done
141
142 Prepare the directory /some/where/certs containing several CA
143 certificates for use as CApath:
144
145 cd /some/where/certs
146 c_rehash .
147
149 ssl(7), SSL_CTX_set_client_CA_list(3), SSL_get_client_CA_list(3),
150 SSL_CTX_use_certificate(3), SSL_CTX_add_extra_chain_cert(3),
151 SSL_CTX_set_cert_store(3), SSL_CTX_set_client_CA_list(3)
152
154 Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
155
156 Licensed under the Apache License 2.0 (the "License"). You may not use
157 this file except in compliance with the License. You can obtain a copy
158 in the file LICENSE in the source distribution or at
159 <https://www.openssl.org/source/license.html>.
160
161
162
1633.0.5 2022-07-0S5SL_CTX_LOAD_VERIFY_LOCATIONS(3ossl)