Closed mpeylo closed 5 years ago
DDvO
commented
5 years ago This is the normal behavior for all OpenSSL CLI options: later occurrences silently override earlier ones. And for the cmp app those on the CLI silently override those read form the config file. Within the config file, again later ones silently override earlier ones.
mpeylo
commented
5 years ago True. Makes me think whether it might be handy to be able to point to two files, but better to have that only in the far-future. ;-)
DDvO
commented
5 years ago I added support for multiple files (each with potentially multiple certs) already quite some time ago. See the man page entry:
-trusted filenames
When verifying signature-based protection of CMP response messages, these are the CA certificate(s) to trust while
checking certificate chains during CMP server authentication. This option gives more flexibility than the -srvcert
option because it does not pin down the expected CMP server by allowing only one certificate.
Multiple file names may be given, separated by commas or whitespace. Each source may contain multiple certificates.
When using the -trusted parameter twice in the cmp app, the first parameter appears to get overwritten.
This happened when I wanted to add -untrusted, but actually added -trusted. Took me a minute to realize what the error is when it was shown to me that there are no "non-trusted" certs, but a single non-self-signed cert in "trust store".