I would like to use the CA certificates installed as part of the OS (Ubuntu
Linux in this case) to verify client certificates rather than specify a
particular file containing these CA certificates using VerifyList. I've
tried specifying "ClientCert 2 9" without defining VerifyList but received
an error which I assume is because no VerifyList has been defined.

I'd thought that the OpenSSL libraries would pick up the system certificates
by default but perhaps this is not the case?

Thanks,

Rob

My guess would be that because it's for client verification, not for general
trust determination, that the verification list is separate from the default
system ca list.  I'd have to look in the code to confirm.


If your Ubuntu box is like my Debian Lenny box, wouldn't all the certs in
/etc/ssl/certs/ be compiled/concatenated into
/etc/ssl/certs/ca-certificates.crt?  That would be your system list.

If they aren't already, it would be relatively trivial to run cat
/etc/ssl/certs/*.pem > /etc/ssl/certs/ca-certificates.crt as part of the
pound init.d or startup script.

Joe

[...]

Thanks for the tip, Joe. I didn't realize that they were already compiled
into a single file. Following your lead I came across the command
'update-ca-certificates' which can be used to update the
/etc/ssl/certs/ca-certificates.crt file.

Rob

On Thu, Aug 26, 2010 at 10:58 AM, Joe Gooch <mrwizard(at)k12system.com>
wrote:
[...]

And now I know about that command... Equitable exchange!

Glad it'll work for you :)

Joe
[...]