Recently I set up certificates for my server's SSL, SMTP, IMAP, XMPP,
and OpenVPN services.  Actually, I created my own CA for some of the
certificates, and in other cases I used self-signed.  It took me
substantially more time than I had anticipated, and I'm left with
feelings of unease.

It seems the way to do this revolves around openssl, but while I was
able to find instructions*, they were cookbook-style, and didn't
really give me as complete an understanding as I had hoped.

[*] http://sial.org/howto/openssl/

I experimented with tinyca2, which appears only to create certificates
with passphrases, which is obnoxious.  Only some applications
(e.g. dovecot) allow you to specify passphrases, and in most cases the
config file with the passphrase is protected the same way as the key
itself, using filesystem permissions, making it pointless.

However, I still have problems with dovecot.  Whenever I connect to
IMAPS, it complains that the certificate is for '' (empty string), and
I'm not sure what I did wrong in the certificate creation.

In other cases, such as openvpn, there are some scripts there
(easy-rsa) which take care of it for you.

I couldn't, in particular, find comprehensive information on the
openssl.cnf file, particularly the v3 extensions.

In some cases, such as OpenBSD's isakmpd, I had to abandon my plans
completely because they had requirements that the certificates have
some fields (subjectAltName, I think) that weren't well documented.
I can't remember exactly if I couldn't create this field, or merely
didn't know what to put in it.

However, in this case, the main problem I found was that the Linux
port of isakmpd was not reliable, and nearly impossible to debug.  It
just would work 50% of the time, and not the other 50%.  OpenBSD's
isakmpd is pretty sexy - it detects NAT traversal and automagically
encapsulates in UDP - but apart from the Linux reliability issue, I
also had issues with multiple tunnels going through the same NAT/fw
box that was itself running IPSec.  Whereas by contrast, OpenVPN
handles that situation well, and has support for MS-Windows should I
ever want it.

Further, trying to dig into ASN.1 was extremely difficult.  The specs
are full of obtuse language, using terms like "object" without
defining them first.  Are there any tools that will dump certificates
in human-readable formats?  I would really like something that could
take a PEM file of a cert and display it in XML or something of the

Although I have it all working, I am considering redoing all the work,
hopefully all under one CA cert that I control.  But I'm not sure if
that's wise.

I'm plowing through the O'Reilly OpenSSL book, but are there other
resources out there that could help me, or others like me?
Obama Nation | It's not like I'm encrypting... it's more like I've
developed a massive entropy deficiency | 
If you are a spammer, please email j...@subspacefield.org to get blacklisted.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to