How can i include my certificate chain and private key in a tls server using openssl library?

Question

I am trying to write a c code to implement a tls socket using openssl. The server has a certificate chain with 4 certificates: leaf certificate - intermediate1 certificate -intermediate2 certificate - root certificate I init everything in the order:

SSL_library_init()
SSL_load_error_strings()         
OpenSSL_add_ssl_algorithms()

When ctx config is:

SSL_ctx_set_cipher_list()
SSL_ctx_use_certificate_chain("",pem)
SSL_ctx_use_certificate_file("",pem)      (1)
SSL_ctx_use_PrivateKey(".key",pem)

I get the error "unknown ca" which is guess because calling SSL_ctx_use_certificate_file discards SL_ctx_use_certificate_chain and thus, the client cannot verify the server certificate. When ctx config is:

SSL_ctx_set_cipher_list()
SSL_ctx_use_certificate_chain("",pem)  (2)
SSL_ctx_use_PrivateKey(".key",pem)

I get a certificate-key mismatch error. I formed the chain using:

cat server.pem intermediate1.pem intermediate2.pem > chain.pem

so i haven't included the root certificate in the chain since the client already has it. I would expect (2) to work since the private key is the key corresponding to the server.pem certificate which is at the top of the chain.

-How should i include the chain in the c code in a way that i don't get a key-cert. mismatch error? I found a this function:

SSL_CTX_add_extra_chain_cert()

but i could not understand how to use it. The second argument of this function is X509* so how should i load and input it to this function. -Is there a function in openssl that loads the certificate from memory? Note that my certificates are all in pem format and this X509 confuses me since i am not really familiar with cert. data types. -Do i need to use

SSL_CTX_load_verify_locations()

function on the server side if i am not asking the client for its certificates?

EDIT:

SSL *ssl;
SSL_CTX *ctx;

void configure_context(SSL_CTX *ctx)
{
   if(SSL_CTX_set_cipher_list(ctx,CIPHER_LIST) <= 0)
   {
    ERR_print_errors_fp(stderr);
   }
   
   if(SSL_CTX_use_certificate_chain_file(ctx,"/var/lib/certs/chain.pem") <= 0)
   {
    ERR_print_errors_fp(stderr);
   }

   if (SSL_CTX_use_PrivateKey_file(ctx, "/var/lib/certs/private.key", X509_FILETYPE_PEM) <= 0 ) {
        ERR_print_errors_fp(stderr);
   }
}

bool sslAcceptSocket()
{
    SSL_library_init();
    init_openssl();
    ctx = create_context();

    configure_context(ctx);
    ssl = SSL_new(ctx);

    SSL_set_fd(ssl, acceptedSocket);
    static int err = 0;
    err = SSL_accept(ssl);
    if(err < 1)
    {
    DEBUG_PRINT("SSL Error: %d\n",err);
    ERR_print_errors_fp(stderr);
    return false;
    }
    return true;
}

acceptedSocket is the TCP socket and it works fine. However, i get key-cert mismatch error in the tls part. Replacing

SSL_CTX_use_certificate_chain_file(ctx,"/var/lib/certs/chain.pem")

with

SSL_CTX_use_certificate_file(ctx,"/var/lib/certs/leaf.pem")

solves the key-cert. mismatch problem but then i get "unknown ca" error (as expected)

Answer 1

The problem was due to the certificates and the key so the code in the "EDIT" part of the question actually works with the correct certificates.