Hi, "Ivan Adji - Krstev" <akivanradix@gmail.com> írta 2016-01-15 11:18-kor:
You mean the cacert.pem or the servercert.pem ? and vice versa ?
The servercert.pem is the cert pair for the key what the server has. The (server)cert is the "public" part of the key, and the key file is the private part. The servercert is signed with the cacert. As far as I saw your example, you defined different CA for signing the servercert, and do that separately to sign the client's cert. So the ca, what you have created to sign the server's csr (so, after the signing it become a cert), is the one which should be published to the client side ca dir. So when the tls handshake happens, the client sees that whups, here is a server cert. Cheks in the cert the issuer's fingerprint. Based on the fingerprint it will find the CA's cert in it's local ca dir. Check if that signature is valid, and client is happy. The same will happen on the server side simmetrically: The client will show up its own cert. The server sees, it is signed with the other ca. (The one, which you used to sign the client cert.) Based on the fingerprint, it start to check if it is available in its ca dir. If you install that there, and the appropriate symlink is also available, then it will also find that ca cert. It will check if the client certificate is valid. It will be. Both side will be happy, and communicate gladly inside an encrypted channel. Was this description clear? Kind regards, Gyu