is a gnutls_certificate_credentials_t type.
const gnutls_datum_t * spki
contains a raw public key in
const gnutls_datum_t * pkey
contains a raw private key.
encoding of the keys. DER or PEM.
const char * pass
an optional password to unlock the private key pkey.
unsigned int key_usage
An ORed sequence of GNUTLS_KEY_* flags.
const char ** names
is an array of DNS names belonging to the public-key
(NULL if none).
unsigned int names_length
holds the length of the names list.
unsigned int flags
an ORed sequence of gnutls_pkcs_encrypt_flags_t.
These apply to the private key pkey.
This function sets a public/private keypair in the
gnutls_certificate_credentials_t type to be used for
authentication and/or encryption. spki and privkey should match
otherwise set signatures cannot be validated. In case of no match
this function returns GNUTLS_E_CERTIFICATE_KEY_MISMATCH. This
function should be called once for the client because there is
currently no mechanism to determine which raw public-key to
select for the peer when there are multiple present. Multiple raw
public keys for the server can be distinghuished by setting the
Note here that spki is a raw public-key as defined in RFC7250.
It means that there is no surrounding certificate that holds the
public key and that there is therefore no direct mechanism to
prove the authenticity of this key. The keypair can be used
during a TLS handshake but its authenticity should be established
via a different mechanism (e.g. TOFU or known fingerprint).
The supported formats are basic unencrypted key, PKCS8, PKCS12,
and the openssl format and will be autodetected.
If the raw public-key and the private key are given in PEM
encoding then the strings that hold their values must be null
Key usage (as defined by X.509 extension (126.96.36.199)) can be
explicitly set because there is no certificate structure around
the key to define this value. See for more info
Note that, this function by default returns zero on success and a
negative value on error. Since 3.5.6, when the flag
GNUTLS_CERTIFICATE_API_V2 is set using
gnutls_certificate_set_flags() it returns an index (greater or
equal to zero). That index can be used in other functions to
refer to the added key-pair.
This page is part of the GnuTLS (GnuTLS Transport Layer Security
Library) project. Information about the project can be found at
⟨http://www.gnutls.org/⟩. If you have a bug report for this
manual page, send it to email@example.com. This page was obtained
from the tarball gnutls-3.8.0.tar.xz fetched from
⟨http://www.gnutls.org/download.html⟩ on 2023-06-23. If you
discover any rendering problems in this HTML version of the page,
or you believe there is a better or more up-to-date source for
the page, or you have corrections or improvements to the
information in this COLOPHON (which is not part of the original
manual page), send a mail to firstname.lastname@example.org