Previous page Section 3.11.2. TLS_CAFile Section 3.11.3. TLS_CAPath (225 / 1691)   Table of Contents Section 3.11.4. TLS_CertificateFile Next page

3.11.3. TLS_CAPath Previous topic Parent topic Child topic Next topic

When TLS is enabled, this parameter specifies the name of a directory containing CA root certificates that may be required to validate TLS peer certificates. Radiator looks for root certificates in TLS_CAFile then in TLS_CAPath, so there usually is no need to set the both. When Certificate Revocation List (CRL) checks are enabled, this directory is also used by TLS library to look for CRL files.

Setting up CAPath directory for certificates and CRLs

The CA certificates must be in PEM format, one per file. When a certificate is needed, it is looked up using a special file name. Similarly lookup is done for Certificate Revocation List (CRL) files when certificate revocation lists are enabled. CRL files must also be in PEM format. Recent OpenSSL versions have a built-in command rehash that creates a symbolic link or a copy of file with the special file name. OpenSSL also comes with an separate tool called c_rehash that does the similar job. LibreSSL has a built-in command certhash to create symbolic links.
Here's an example of a directory with a file containing two CA certificates, a CRL file and a file with a single CA certificate. Note that no symbolic link is created when the file with two CA certificates is processed. The certificates in it must be separate files or otherwise the certificates in cafile.pem can not be used.
% ls -la
drwxr-xr-x   5 mikem  staff   160 Dec 20 13:09 .
drwxr-xr-x  97 mikem  staff  3104 Dec 20 12:59 ..
-rw-r--r--   1 mikem  staff  9957 Dec 20 13:09 cas.pem
-rw-r--r--   1 mikem  staff  2383 Dec 20 13:02 root-CA-crl.pem
-rw-r--r--   1 mikem  staff  4992 Dec 20 12:59 root-CA-crt.pem

% openssl version    
OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)

% openssl rehash -v .
Doing .
rehash: warning: skipping cas.pem,it does not contain exactly one certificate or CRL
link root-CA-crt.pem -> 322a67d3.0
link root-CA-crl.pem -> 322a67d3.r0

% ls -la
drwxr-xr-x   7 mikem  staff   224 Dec 20 13:17 .
drwxr-xr-x  97 mikem  staff  3104 Dec 20 12:59 ..
lrwxr-xr-x   1 mikem  staff    15 Dec 20 13:17 322a67d3.0 -> root-CA-crt.pem
lrwxr-xr-x   1 mikem  staff    15 Dec 20 13:17 322a67d3.r0 -> root-CA-crl.pem
-rw-r--r--   1 mikem  staff  9957 Dec 20 13:09 cas.pem
-rw-r--r--   1 mikem  staff  2383 Dec 20 13:02 root-CA-crl.pem
-rw-r--r--   1 mikem  staff  4992 Dec 20 12:59 root-CA-crt.pem
Note
Similar LibreSSL command is (dot is one of the command parameters): openssl certhash -v .
Testing indicates LibreSSL does not ignore files with multiple certificates but creates one symbolic link. For more information these OpenSSL and LibreSSL commands, see https://www.openssl.org/docs/manmaster/man1/c_rehash.html Opens in new window and https://man.openbsd.org/openssl.1 Opens in new window
Previous page Section 3.11.2. TLS_CAFile Section 3.11.3. TLS_CAPath (225 / 1691)   Table of Contents Section 3.11.4. TLS_CertificateFile Next page