I am afraid I have not found adequate documentation that I can use to guide me in editing the contents of openssl.cnf. The comments within the file do not tell me enough about good values to use for the different options that are available.
Here are my objectives: 1) A single certificate authority, used by multiple registration authorities. 2) Support for generating client side certificates, in response to a request made by a client through a form that contains the keygen HTML tag (and after a series of challenges and responses to verify identity), with the following properties: a) requires a password every time the client uses it b) supports, with the corresponding private key, encryption and signing of the contents of the fields of the form which is accessable only by using the certificate, (to support non-repudiation). c) a client may have multiple certificates permitted by multiple registation authorities, with different IDs (for access to different accounts, so a client may have multiple IDs even from the same registration authority, but for access to different accounts), and the question becomes how to ensure the client uses the right certificate for each account. But at the same time, few of the clients in question are part of any particular organization. And related questions: 1) Given that I'd like to store a copy of the certificates' public key, in a table which maps the certificate to the user's IDs, a) what data type would be most appropriate, and b) if I have a web page into which the user can enter the client's ID and paste the contents of a file that has allegedly been encrypted and signed by the client, how do I verify whether or not it was, in fact, signed by the client and, if so, that the document has not been altered? 2) I was reading, in various places, that when the keygen tag is used, the user is presented a dialog that lets him select the strength of the key, so how can I ensure that the client's use only the strongest level of encryption available? Can anyone either tell me how best to do this, or point me to an online resource that explains how to do this, and more? Thanks Ted ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org