Multiple CA Certificates in a Single File

This section provides a tutorial example on how to store multiple root CA certificates in a single PEM file to be used by Crypt::SSLeay as the HTTPS_CA_FILE environment variable.

Fixing the error occurred in the previous tutorial is not very hard. Here is what I did:

1. Run Firefox 3 and go to https://www.google.com/accounts/ServiceLogin.

2. Click the Lock icon on the right bottom corner of the browser window.

3. Click "View Certificate" button and go to the "Details" tab.

4. Select the root certificate, "Class 3 Public Primary Certification Authority", in the Certificate Hierarchy section and click "Export..." button.

5. Save the root certificate in "CA_for_Google.crt" using the "X.509 Certificate (PEM) format.

6. Concatenet CA_for_Google.crt to the end of CA_Bundle.crt using a text editor:

CA certificate for https://login.yahoo.com
-----BEGIN CERTIFICATE-----
MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYD
...
-----END CERTIFICATE-----

CA certificate for https://www.google.com/accounts/ServiceLogin
-----BEGIN CERTIFICATE-----
MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
...
-----END CERTIFICATE-----

7. Run the test script again:

C:\herong>Crypt_SSLeay_HTTPS_GET_with_CA.pl 
   https://www.google.com/accounts/ServiceLogin

SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A

Request:
GET https://www.google.com/accounts/ServiceLogin
User-Agent: libwww-perl/5.836

Response:
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Connection: close
Pragma: no-cache
Server: GSE
Content-Length: 10829
Content-Type: text/html; charset=UTF-8
Client-Peer: 74.125.226.146:443
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /C=ZA/O=Thawte Consulting (Pty) Ltd.
   /CN=Thawte SGC CA
Client-SSL-Cert-Subject: /C=US/ST=California/L=Mountain View/O=Google
   /CN=www.google.com
Client-SSL-Cipher: RC4-SHA
Set-Cookie: GALX=N12o2Dw3nEU;Path=/accounts;Secure
Set-Cookie: GALX=N12o2Dw3nEU;Path=/accounts;Secure
Title: Google Accounts
X-Auto-Login: realm=com.google&args=continue%3Dhttps%253A%252F%252F
   www.google.com%252Faccounts%252FManageAccount
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block

<html>
<style type="text/css">
...

The output looks good. Now I know that $ENV{HTTPS_CA_FILE} = "CA_Bundle.crt" can be used for multiple HTTPS servers with multiple CA certificates concatenated in a single file using the PEM format.

Last update: 2011.

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of HTTPS (Hypertext Transfer Protocol Secure)

 Using HTTPS with IE (Internet Explorer) 10

 Using HTTPS with Chrome 40

 Using HTTPS with Firefox 35

Perl Scripts Communicating with HTTPS Servers

 Installing Crypt::SSLeay 0.57 on Windows

 Crypt::SSLeay Test Perl Script

 HTTPS Request and Response Example

 Asking Crypt::SSLeay to Verify Server's Certificate

 Crypt::SSLeay Failing to Verify Server's Certificate

Multiple CA Certificates in a Single File

 PHP Scripts Communicating with HTTPS Servers

 Java Programs Communicating with HTTPS Servers

 Certificate Stores and Certificate Console

 .NET Programs Communicating with HTTPS Servers

 CAcert.org - Root CA Offering Free Certificates

 PKI CA Administration - Issuing Certificates

 Digital Signature - Microsoft Word 2007

 Digital Signature - OpenOffice.org 3

 S/MIME and Email Security

 PKI (Public Key Infrastructure) Terminology

 Outdated Tutorials

 References

 PDF Printing Version