HP NonStop SSL Reference Manual Configuration • 81
certificate
the trusted CA certificate in PKCS-8 DER encoded format
Default
If omitted, HP NonStop SSL will not check the TLS/SSL partner’s certificate chain.
Examples
TRUST
WHIRLPOOL:85A8DAF0D76139154335C46E5E53C5A175CC1BDB8B7D80716CF19A93EDB75046F4BDD9BCDC005DAA5433D2D
BCE47AF0D4A2C9EB6DDBD1F94EF166308EA47FE73,
SHA256:1F4F7E0A6E1E92DDD6D5411C371C100B74DD7D32EAE7F447486AA4DAC5F43056
TRUST rootcert
Considerations
• The TRUST parameter can be specified in two ways: either by specifying the fingerprints of the CA certificates
or by specifying a filename containing the full certificate in DER encoding. The two formats can not be mixed.
• By default, the WHIRLPOOL hash algorithm - one of the currently strongest hash algorithms - is used.
Therefore you should also specify fingerprints with their WHIRLPOOL hash. If you do want to use other hash
algorithms, you have to use the HASHALGORITHMS parameter. Note that only fingerprints will be used for
which the respective hashalgorithm is marked as active (by including it in the HASHALGORITHMS
parameter).
• If the remote SSL server is sending the complete certificate chain, the two forms of specifying the trusted CAs
do not differ in functionality. Some SSL servers do not send the complete certificate chain during the
handshake; for those servers the missing signing certificate(s) should be specified with the "certificate" syntax
of the parameter.
• The parameter can be changed at run time using SSLCOM, please see chapter "SSLCOM Command Interface"
for details.
• Due to the edit file length restriction of 255 characters, there are certain limitations for the number of
fingerprints you can use in the configuration file. The following shows a table for the assumption that all
fingerprints use the same algorithm. In general 5 characters of the line are required for the "TRUST". In
addition to the actual fingerprint length the characters required for the <FingerprintName:> and the separator
have to be considered ("add on"). Numbers in round brackets represent the number in case the old fingerprint
format which is only available for SHA1 and MD5 is used.
Algorithm Fingerprint Length Add On Max Fingerprints in Config
MD5* 32 5(0) 6 (7)
SHA1* 40 6(0) 5 (6)
RIPEMD160 40 11 4
SHA256 64 8 3
SHA384 96 8 2
SHA512 128 8 1
WHIRLPOOL 128 11 1
Of course you can mix fingerprints, thus if you have a WHIRLPOOL fingerprint specified, one SHA384 or one
SHA256, or two RIPEMD160 fingerprints still fit within the given 255 characters.
See also
HASHALGORITHMS
To Next Page
Loading...
Need help?
General