On Mon, 28 Dec 2015 15:25:08 GMT, Chang Long wrote:
I need use private cacert(rootCA.crt) on the ssl client side, is there any one here can explain to me how to do it ?
I create the related files by:
openssl ecparam -out rootCA.key -name prime192v3 -genkey openssl req -new -key rootCA.key -x509 -sha256 -nodes -days 365 -subj "/C=C/ST=ST/L=L/O=O/CN=CA" -out rootCA.crt openssl ecparam -genkey -name prime192v3 -out server.key openssl req -new -key server.key -subj "/C=C/ST=ST/L=L/O=O/CN=domain.com" -out server.csr openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 365
The purpose is to build a server with ssl safe protect, publish the client executable file with RootCA.crt. to guarantee connect will be safe from Man-in-the-MiddleAttack.
It should be a matter of calling useCertificateChainFile("server.crt")
and usePrivateKeyFile("server.key")
. If the root CA needs to be validated by the server, you'll also have to add that to server.crt (cat rootCA.crt >> server.crt
).