1 .\" $OpenBSD: SSL_CTX_use_certificate.3,v 1.2 2016/12/01 22:17:32 schwarze Exp $
2 .\" OpenSSL e248596b Apr 8 22:49:57 2005 +0000
4 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
5 .\" Copyright (c) 2000, 2001, 2002, 2003, 2005 The OpenSSL Project.
6 .\" All rights reserved.
8 .\" Redistribution and use in source and binary forms, with or without
9 .\" modification, are permitted provided that the following conditions
12 .\" 1. Redistributions of source code must retain the above copyright
13 .\" notice, this list of conditions and the following disclaimer.
15 .\" 2. Redistributions in binary form must reproduce the above copyright
16 .\" notice, this list of conditions and the following disclaimer in
17 .\" the documentation and/or other materials provided with the
20 .\" 3. All advertising materials mentioning features or use of this
21 .\" software must display the following acknowledgment:
22 .\" "This product includes software developed by the OpenSSL Project
23 .\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
25 .\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 .\" endorse or promote products derived from this software without
27 .\" prior written permission. For written permission, please contact
28 .\" openssl-core@openssl.org.
30 .\" 5. Products derived from this software may not be called "OpenSSL"
31 .\" nor may "OpenSSL" appear in their names without prior written
32 .\" permission of the OpenSSL Project.
34 .\" 6. Redistributions of any form whatsoever must retain the following
36 .\" "This product includes software developed by the OpenSSL Project
37 .\" for use in the OpenSSL Toolkit (http://www.openssl.org/)"
39 .\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 .\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 .\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 .\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 .\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 .\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 .\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
52 .Dd $Mdocdate: December 1 2016 $
53 .Dt SSL_CTX_USE_CERTIFICATE 3
56 .Nm SSL_CTX_use_certificate ,
57 .Nm SSL_CTX_use_certificate_ASN1 ,
58 .Nm SSL_CTX_use_certificate_file ,
59 .Nm SSL_use_certificate ,
60 .Nm SSL_use_certificate_ASN1 ,
61 .Nm SSL_use_certificate_file ,
62 .Nm SSL_CTX_use_certificate_chain_file ,
63 .Nm SSL_CTX_use_certificate_chain_mem ,
64 .Nm SSL_CTX_use_PrivateKey ,
65 .Nm SSL_CTX_use_PrivateKey_ASN1 ,
66 .Nm SSL_CTX_use_PrivateKey_file ,
67 .Nm SSL_CTX_use_RSAPrivateKey ,
68 .Nm SSL_CTX_use_RSAPrivateKey_ASN1 ,
69 .Nm SSL_CTX_use_RSAPrivateKey_file ,
70 .Nm SSL_use_PrivateKey_file ,
71 .Nm SSL_use_PrivateKey_ASN1 ,
72 .Nm SSL_use_PrivateKey ,
73 .Nm SSL_use_RSAPrivateKey ,
74 .Nm SSL_use_RSAPrivateKey_ASN1 ,
75 .Nm SSL_use_RSAPrivateKey_file ,
76 .Nm SSL_CTX_check_private_key ,
77 .Nm SSL_check_private_key
78 .Nd load certificate and key data
82 .Fn SSL_CTX_use_certificate "SSL_CTX *ctx" "X509 *x"
84 .Fn SSL_CTX_use_certificate_ASN1 "SSL_CTX *ctx" "int len" "unsigned char *d"
86 .Fn SSL_CTX_use_certificate_file "SSL_CTX *ctx" "const char *file" "int type"
88 .Fn SSL_use_certificate "SSL *ssl" "X509 *x"
90 .Fn SSL_use_certificate_ASN1 "SSL *ssl" "unsigned char *d" "int len"
92 .Fn SSL_use_certificate_file "SSL *ssl" "const char *file" "int type"
94 .Fn SSL_CTX_use_certificate_chain_file "SSL_CTX *ctx" "const char *file"
96 .Fn SSL_CTX_use_certificate_chain_mem "SSL_CTX *ctx" "void *buf" "int len"
98 .Fn SSL_CTX_use_PrivateKey "SSL_CTX *ctx" "EVP_PKEY *pkey"
100 .Fo SSL_CTX_use_PrivateKey_ASN1
101 .Fa "int pk" "SSL_CTX *ctx" "unsigned char *d" "long len"
104 .Fn SSL_CTX_use_PrivateKey_file "SSL_CTX *ctx" "const char *file" "int type"
106 .Fn SSL_CTX_use_RSAPrivateKey "SSL_CTX *ctx" "RSA *rsa"
108 .Fn SSL_CTX_use_RSAPrivateKey_ASN1 "SSL_CTX *ctx" "unsigned char *d" "long len"
110 .Fn SSL_CTX_use_RSAPrivateKey_file "SSL_CTX *ctx" "const char *file" "int type"
112 .Fn SSL_use_PrivateKey "SSL *ssl" "EVP_PKEY *pkey"
114 .Fn SSL_use_PrivateKey_ASN1 "int pk" "SSL *ssl" "unsigned char *d" "long len"
116 .Fn SSL_use_PrivateKey_file "SSL *ssl" "const char *file" "int type"
118 .Fn SSL_use_RSAPrivateKey "SSL *ssl" "RSA *rsa"
120 .Fn SSL_use_RSAPrivateKey_ASN1 "SSL *ssl" "unsigned char *d" "long len"
122 .Fn SSL_use_RSAPrivateKey_file "SSL *ssl" "const char *file" "int type"
124 .Fn SSL_CTX_check_private_key "const SSL_CTX *ctx"
126 .Fn SSL_check_private_key "const SSL *ssl"
128 These functions load the certificates and private keys into the
132 object, respectively.
136 class of functions loads the certificates and keys into the
140 The information is passed to
148 by copying, so that changes applied to
150 do not propagate to already existing
156 class of functions only loads certificates and keys into a specific
159 The specific information is kept when
165 .Fn SSL_CTX_use_certificate
166 loads the certificate
170 .Fn SSL_use_certificate
175 The rest of the certificates needed to form the complete certificate chain can
176 be specified using the
177 .Xr SSL_CTX_add_extra_chain_cert 3
180 .Fn SSL_CTX_use_certificate_ASN1
181 loads the ASN1 encoded certificate from the memory location
187 .Fn SSL_use_certificate_ASN1
188 loads the ASN1 encoded certificate into
191 .Fn SSL_CTX_use_certificate_file
192 loads the first certificate stored in
198 of the certificate must be specified from the known types
201 .Dv SSL_FILETYPE_ASN1 .
202 .Fn SSL_use_certificate_file
203 loads the certificate from
210 .Fn SSL_CTX_use_certificate_chain_file
214 .Fn SSL_CTX_use_certificate_chain*
215 functions load a certificate chain into
217 The certificates must be in PEM format and must be sorted starting with the
218 subject's certificate (actual client or server certificate),
219 followed by intermediate CA certificates if applicable,
220 and ending at the highest level (root) CA.
221 There is no corresponding function working on a single
225 .Fn SSL_CTX_use_PrivateKey
230 .Fn SSL_CTX_use_RSAPrivateKey
235 .Fn SSL_use_PrivateKey
240 .Fn SSL_use_RSAPrivateKey
243 as private key of type RSA to
245 If a certificate has already been set and the private does not belong to the
246 certificate, an error is returned.
247 To change a certificate private key pair,
248 the new certificate needs to be set with
249 .Fn SSL_use_certificate
251 .Fn SSL_CTX_use_certificate
252 before setting the private key with
253 .Fn SSL_CTX_use_PrivateKey
255 .Fn SSL_use_PrivateKey .
257 .Fn SSL_CTX_use_PrivateKey_ASN1
258 adds the private key of type
260 stored at memory location
266 .Fn SSL_CTX_use_RSAPrivateKey_ASN1
267 adds the private key of type RSA stored at memory location
273 .Fn SSL_use_PrivateKey_ASN1
275 .Fn SSL_use_RSAPrivateKey_ASN1
276 add the private key to
279 .Fn SSL_CTX_use_PrivateKey_file
280 adds the first private key found in
286 of the certificate must be specified from the known types
289 .Dv SSL_FILETYPE_ASN1 .
290 .Fn SSL_CTX_use_RSAPrivateKey_file
291 adds the first private RSA key found in
295 .Fn SSL_use_PrivateKey_file
296 adds the first private key found in
300 .Fn SSL_use_RSAPrivateKey_file
301 adds the first private RSA key found to
304 .Fn SSL_CTX_check_private_key
305 checks the consistency of a private key with the corresponding certificate
308 If more than one key/certificate pair (RSA/DSA) is installed,
309 the last item installed will be checked.
310 If, e.g., the last item was a RSA certificate or key,
311 the RSA key/certificate pair will be checked.
312 .Fn SSL_check_private_key
313 performs the same check for
315 If no key/certificate was explicitly added for this
317 the last item added into
321 The internal certificate store of OpenSSL can hold two private key/certificate
323 one key/certificate of type RSA and one key/certificate of type DSA.
324 The certificate used depends on the cipher select, see also
325 .Xr SSL_CTX_set_cipher_list 3 .
327 When reading certificates and private keys from file, files of type
328 .Dv SSL_FILETYPE_ASN1
331 binary encoding) can only contain one certificate or private key; consequently,
332 .Fn SSL_CTX_use_certificate_chain_file
333 is only applicable to PEM formatting.
336 can contain more than one item.
338 .Fn SSL_CTX_use_certificate_chain_file
339 adds the first certificate found in the file to the certificate store.
340 The other certificates are added to the store of chain certificates using
341 .Xr SSL_CTX_add_extra_chain_cert 3 .
342 There exists only one extra chain store, so that the same chain is appended
343 to both types of certificates, RSA and DSA!
344 If it is not intended to use both type of certificate at the same time,
345 it is recommended to use the
346 .Fn SSL_CTX_use_certificate_chain_file
348 .Fn SSL_CTX_use_certificate_file
349 function in order to allow the use of complete certificate chains even when no
350 trusted CA storage is used or when the CA issuing the certificate shall not be
351 added to the trusted CA storage.
353 If additional certificates are needed to complete the chain during the TLS
354 negotiation, CA certificates are additionally looked up in the locations of
355 trusted CA certificates (see
356 .Xr SSL_CTX_load_verify_locations 3 ) .
358 The private keys loaded from file can be encrypted.
359 In order to successfully load encrypted keys,
360 a function returning the passphrase must have been supplied (see
361 .Xr SSL_CTX_set_default_passwd_cb 3 ) .
362 (Certificate files might be encrypted as well from the technical point of view,
363 it however does not make sense as the data in the certificate is considered
366 On success, the functions return 1.
367 Otherwise check out the error stack to find out the reason.
371 .Xr SSL_CTX_add_extra_chain_cert 3 ,
372 .Xr SSL_CTX_load_verify_locations 3 ,
373 .Xr SSL_CTX_set_cipher_list 3 ,
374 .Xr SSL_CTX_set_client_cert_cb 3 ,
375 .Xr SSL_CTX_set_default_passwd_cb 3 ,
378 Support for DER encoded private keys
379 .Pq Dv SSL_FILETYPE_ASN1
381 .Fn SSL_CTX_use_PrivateKey_file
383 .Fn SSL_use_PrivateKey_file