ca_certificate

Specifies the trusted CA certificate used to sign the certificate that is being verified.

ca_certificate | ca_cert=CACertificateFile

Arguments

CACertificateFile—relative or full path to the file containing the trusted CA certificate. If both ca_certificate and ca_location are not specified, usys:ca-bundle.crt is assumed. This file can contain a number of PEM formatted certificates.

Use

Set this option in the assignment file of the application that is verifying the other.

Description

The ca_certificate connector option accepts only one file. For server verification, if the trusted CA certificates of the clients and Uniface Servers are different, the certificates must be concatenated into one file. If you use the name usys:ca-bundle.crt for your concatenated CA certificates, you don’t need to specify ca_certificate.

Alternatively, if all the trusted CA certificates reside in a trust store, it is better to specify this trust store with the ca_location parameter.

If you use self-signed certificates, the certificate specified by ca_certificate must be the same as the server_certificate specified by the peer.

Verification with Self-Signed Certificates

Server verification using a self-signed certificate:

;urouter.asn
[NET_SETTINGS]
CheckServer = verify_server=yes, server_key=usys:servercert.key, %\
              server_certificate=usys:servercert.crt
;client.asn
[NET_SETTINGS]
CheckServer = verify_server=yes, ca_cert=usys:servercert.crt

Related Topics