1 Topic by Zeddi (edited by Zeddi 2014-02-14 00:27:57)

  • From: Germany
  • Registered: 2013-08-27
  • Posts: 24

Topic: [SOLVED] server-example uses client certificate as CA

I've seen that the server example (/examples/server/server.c) uses the client certificate instead of the CA certificate as the default CA certificate. This applies to both, ECC and non-ECC:

    char* verifyCert = (char*)cliCert;
    char* ourCert = (char*)svrCert;
    char* ourKey = (char*)svrKey;
#ifdef NO_RSA
    verifyCert = (char*)cliEccCert;
    ourCert = (char*)eccCert;
    ourKey = (char*)eccKey;
#endif

Shouldn't it be

char* verifyCert = (char*)caCert;

in the first and

char* verifyCert = (char*)eccCert;

in the second case?

As an addition:
I think it's confusing that the server and CA certificate are the same in case of ECC (eccCert, expanding to "./certs/server-ecc.pem"), whereas an individual server certificate (svrCert, expanding to "./certs/server-cert.pem") and CA certificate (caCert, expanding to "./certs/ca-cert.pem") exist for the non-ECC case.
Imho it would be more intuitive if there would be two individual certificates (e.g. ./certs/server-ecc-cert.pem for the server with CA:FALSE basic constraint and ./certs/ca-ecc-cert.pem for the CA with CA:TRUE basic constraint) in the case of ECC.

Share

  • From: Bozeman, MT
  • Registered: 2010-10-20
  • Posts: 650

Re: [SOLVED] server-example uses client certificate as CA

Hi Zeddi,

I've seen that the server example (/examples/server/server.c) uses the client certificate instead of the CA certificate as the default CA certificate.

The reasoning behind this is that our test client's certificate is actually self-signed, and not signed by a separate CA certificate.  In order for the server example to verify the client certificate, it needs to load in the cert used to sign the client cert, which in this case is the client cert itself.

Imho it would be more intuitive if there would be two individual certificates (e.g. ./certs/server-ecc-cert.pem for the server with CA:FALSE basic constraint and ./certs/ca-ecc-cert.pem for the CA with CA:TRUE basic constraint) in the case of ECC.

Thanks for the suggestion.  We'll add it to our todo list for when we get time.  We'll need to update our test certificates by July anyways.

Thanks,
Chris

https://www.wolfssl.com

chrisc's Website

Share

  • From: Germany
  • Registered: 2013-08-27
  • Posts: 24

Re: [SOLVED] server-example uses client certificate as CA

Thank you for the explanation!
With the client certificate being self-signed, this makes sense now smile.

Share