Hello, Recently I set up certificates for my server's SSL, SMTP, IMAP, XMPP, and OpenVPN services. Actually, I created my own CA for some of the certificates, and in other cases I used self-signed. It took me substantially more time than I had anticipated, and I'm left with feelings of unease.
It seems the way to do this revolves around openssl, but while I was able to find instructions*, they were cookbook-style, and didn't really give me as complete an understanding as I had hoped. [*] http://sial.org/howto/openssl/ I experimented with tinyca2, which appears only to create certificates with passphrases, which is obnoxious. Only some applications (e.g. dovecot) allow you to specify passphrases, and in most cases the config file with the passphrase is protected the same way as the key itself, using filesystem permissions, making it pointless. However, I still have problems with dovecot. Whenever I connect to IMAPS, it complains that the certificate is for '' (empty string), and I'm not sure what I did wrong in the certificate creation. In other cases, such as openvpn, there are some scripts there (easy-rsa) which take care of it for you. I couldn't, in particular, find comprehensive information on the openssl.cnf file, particularly the v3 extensions. In some cases, such as OpenBSD's isakmpd, I had to abandon my plans completely because they had requirements that the certificates have some fields (subjectAltName, I think) that weren't well documented. I can't remember exactly if I couldn't create this field, or merely didn't know what to put in it. However, in this case, the main problem I found was that the Linux port of isakmpd was not reliable, and nearly impossible to debug. It just would work 50% of the time, and not the other 50%. OpenBSD's isakmpd is pretty sexy - it detects NAT traversal and automagically encapsulates in UDP - but apart from the Linux reliability issue, I also had issues with multiple tunnels going through the same NAT/fw box that was itself running IPSec. Whereas by contrast, OpenVPN handles that situation well, and has support for MS-Windows should I ever want it. Further, trying to dig into ASN.1 was extremely difficult. The specs are full of obtuse language, using terms like "object" without defining them first. Are there any tools that will dump certificates in human-readable formats? I would really like something that could take a PEM file of a cert and display it in XML or something of the sort. Although I have it all working, I am considering redoing all the work, hopefully all under one CA cert that I control. But I'm not sure if that's wise. I'm plowing through the O'Reilly OpenSSL book, but are there other resources out there that could help me, or others like me? -- Obama Nation | It's not like I'm encrypting... it's more like I've developed a massive entropy deficiency | http://www.subsubpacefield.org/~travis/ If you are a spammer, please email j...@subspacefield.org to get blacklisted. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
