Server Credentials: x509 cert and key

Simon Josefsson simon at
Fri Aug 22 14:53:26 CEST 2008

Alvaro Lopez Ortega <alvaro at> writes:

> Hello there,
> I have a quick question for you guys, I hope someone can give me a
> hand with this. The thing is that I do not know how to access the X509
> cert and key from within a gnutls_certificate_server_credentials
> object.
> Allow me to summarize the problem. All this is happening in a server;
> I create one of the certificate_server_credentials structures for each
> virtual server and then, I read the key and cert for each of them by
> calling the gnutls_certificate_set_x509_key_file() function.
> Right after that, gnutls_certificate_server_set_retrieve_function()
> sets the SNI callback from which I can access the virtual server
> credentials that I'd like the TLS connection to use. However, there is
> where it gets kind of confusing to me.
> How am I supposed to set the cert.x509 and key.x509 values in the
> gnutls_retr_st structure?  Is there a way to get those values by using
> the certificate server credential object?

Are the virtual servers listening on the same port?

If so, you shouldn't use gnutls_certificate_set_x509_key_file: that
function is intended where you know which certificate+key should be used
before the connection is started.  But with SNI, you can't know this.

Thus, in the callback from
gnutls_certificate_server_set_retrieve_function, you need to figure out
which virtual server is requested by the client by calling
gnutls_server_name_get, and then load the proper certificate+key by
using gnutls_x509_crt_list_import and gnutls_x509_privkey_import.  The
gnutls_retr_st should contain pointer to the imported certificate/key.

I hope this helps.

If you can suggest documentation improvements that would have helped you
understand this, please do!


More information about the Gnutls-devel mailing list