PKI Tutorials - Herong's Tutorial Examples - v2.32, by Herong Yang
Multiple CA Certificates in a Single File
This section provides a tutorial example on how to store multiple root CA certificates in a single PEM file to be used by Crypt::SSLeay as the HTTPS_CA_FILE environment variable.
Fixing the error occurred in the previous tutorial is not very hard. Here is what I did:
1. Run Firefox 3 and go to https://www.google.com/accounts/ServiceLogin.
2. Click the Lock icon on the right bottom corner of the browser window.
3. Click "View Certificate" button and go to the "Details" tab.
4. Select the root certificate, "Class 3 Public Primary Certification Authority", in the Certificate Hierarchy section and click "Export..." button.
5. Save the root certificate in "CA_for_Google.crt" using the "X.509 Certificate (PEM) format.
6. Concatenet CA_for_Google.crt to the end of CA_Bundle.crt using a text editor:
CA certificate for https://login.yahoo.com -----BEGIN CERTIFICATE----- MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYD ... -----END CERTIFICATE----- CA certificate for https://www.google.com/accounts/ServiceLogin -----BEGIN CERTIFICATE----- MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG ... -----END CERTIFICATE-----
7. Run the test script again:
herong> Crypt_SSLeay_HTTPS_GET_with_CA.pl \ https://www.google.com/accounts/ServiceLogin SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A Request: GET https://www.google.com/accounts/ServiceLogin User-Agent: libwww-perl/5.836 Response: HTTP/1.1 200 OK Cache-Control: no-cache, no-store Connection: close Pragma: no-cache Server: GSE Content-Length: 10829 Content-Type: text/html; charset=UTF-8 Client-Peer: 74.125.226.146:443 Client-Response-Num: 1 Client-SSL-Cert-Issuer: /C=ZA/O=Thawte Consulting (Pty) Ltd. /CN=Thawte SGC CA Client-SSL-Cert-Subject: /C=US/ST=California/L=Mountain View/O=Google /CN=www.google.com Client-SSL-Cipher: RC4-SHA Set-Cookie: GALX=N12o2Dw3nEU;Path=/accounts;Secure Set-Cookie: GALX=N12o2Dw3nEU;Path=/accounts;Secure Title: Google Accounts X-Auto-Login: realm=com.google&args=continue%3Dhttps%253A%252F%252F www.google.com%252Faccounts%252FManageAccount X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block <html> <style type="text/css"> ...
The output looks good. Now I know that $ENV{HTTPS_CA_FILE} = "CA_Bundle.crt" can be used for multiple HTTPS servers with multiple CA certificates concatenated in a single file using the PEM format.
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of HTTPS (Hypertext Transfer Protocol Secure)
Using HTTPS with Google Chrome
Using HTTPS with Mozilla Firefox
HTTPS with IE (Internet Explorer)
Android and Server Certificate
Windows Certificate Stores and Console
RDP (Remote Desktop Protocol) and Server Certificate
macOS Certificate Stores and Keychain Access
►Perl Scripts Communicating with HTTPS Servers
Installing Crypt::SSLeay 0.72 on Windows
LWP SSL verify_hostname Setting
LWP SSL List of Root CA Certificates
Crypt::SSLeay Test Perl Script
HTTPS Request and Response Example
Asking Crypt::SSLeay to Verify Server's Certificate
Crypt::SSLeay Failing to Verify Server's Certificate
►Multiple CA Certificates in a Single File
PHP Scripts Communicating with HTTPS Servers
Java Programs Communicating with HTTPS Servers
.NET Programs Communicating with HTTPS Servers
CAcert.org - Root CA Offering Free Certificates
PKI CA Administration - Issuing Certificates
Comodo Free Personal Certificate
Digital Signature - Microsoft Word
Digital Signature - OpenOffice.org 3