= ssl with soap4r / verify certificates question = == Q == Hi I connect to Amazon webservices over soap4r via https. It always says it can't verify the certificate and for the time being i've turned it off using the obj.options['protocol.http.ssl_config.verify_mode'] = nil I read from other posts that this certificate warning is because the openssl library doesnt have the root certificates to verify the certificate. My question is, I found a pem file with all the root certificates, is there an option to point it to use the pem file? Also a related question, is there a default folder where it looks for these root certificates? Is there any easy way just to point it to my existing root certificates that my machine uses? I'm on mac os x. == A == There are two certificates to verify : issuer certificate and the actual server certificate (issued by the issuer). Issuer is typically one of the kartel members : Verisign, Entrust, Thawte etc. The issuer certificate is set as property: {{{ service.options['protocol.http.ssl_config.ca_file'] = ISSUER_CA_PEM }}} where the ISSUER_CA_PEM is a path to a issuing authority cert. The actual server certificate verify is done with the callback. So we define: {{{ service.options['protocol.http.ssl_config.verify_callback'] = method(:validate_certificate) }}} and define the method like the this: {{{ def validate_certificate(is_ok, ctx) cert = ctx.current_cert # Only check the server certificate, not the issuer. unless (cert.subject.to_s == cert.issuer.to_s) is_ok &&= File.open(SERVER_PEM).read == ctx.current_cert.to_pem end is_ok end }}} The SERVER_PEM contains the server certificate that is issued, signed by the ISSUER_CA_PEM. Note that the above callback does not verify explicitly that the server certificate has been signed by the issuer. It just verifies that the server presented the certificate that the client knows about. If you need that, it shouldn't be too hard just look at the signature properties of OpenSSL::X509::Certificate. cheers, emil