recommendations for storage of accepted certificates

Ted Zlatanov tzz at
Sat Oct 2 17:45:07 CEST 2010

On Sat, 02 Oct 2010 08:51:18 +0200 Nikos Mavrogiannopoulos <nmav at> wrote: 

NM> On 10/01/2010 09:50 PM, Ted Zlatanov wrote:
>> I want to store the server certificates that the user accepts.  This is
>> inside Emacs so I have easy access to file editing and all the other
>> nifty Emacs Lisp functions.
>> Can I generate a trust file? 

NM> Of course you can. Just store the trusted certificates in PEM format.
NM> However there you place trusted CAs thus any CA you store could verify
NM> potentially any server which is quite dangerous and might not be what
NM> you want.

Yeah.  We have to discuss it in the context of Emacs, which is pretty
unusual (more like an OS than most applications) so we may decide to
augment the OS-level trusted certificates with our own CA.  But it's
good to know I can make a personalized one for each user.

NM> The best alternative would be to store for every server the
NM> corresponding certificate and during next connection verify that it
NM> remained the same.

OK.  The question is then where to store it.  Emacs can handle all the
file interactions but I wondered if there's a convention
(e.g. $HOME/.certs or some such) where I can drop those certificates.
I'll call it $CERTDROP below.

>> Currently the trust file is the one that comes with the OS but I
>> could make a user-specific one and copy the OS trust file contents
>> into the user's.  Or is the trust file only a bundle of certificate
>> authorities?  I can't find documentation on the format.

NM> If you go with the 1st approach, you don't really need to store the
NM> system file to the user one. You can call
NM> gnutls_certificate_set_x509_key_file() multiple times (one to load
NM> the system and one more for the user).

Oh!  I didn't notice that gnutls_certificate_set_x509_key_file() and
gnutls_certificate_set_x509_trust_file() can be called multiple times.
It's pretty easy then and won't require making bundles:

1) set up a conventional place where Emacs will drop accepted
certificates, $CERTDROP/*.pem

2) on gnutls-boot call, load all the accepted certificates plus whatever
the user specifies (is there a performance penalty for a large number of

3) set up a facility within the Emacs GnuTLS support to accept and store
unknown server certificates.  What function in the GnuTLS API can I use
to provide this?  I can't find the right way in the docs or in the
examples, sorry.

Thanks for your help

More information about the Gnutls-devel mailing list