> May I ask some question to you? I am still a little bit confuse, about > how to use certificate for application authentication. What I know is > that in the certificate there's public key. Then we use public key to > encrypt message and private key to decrypt the message. > You should search the internet for public-key-encryption ;)
In general it would work like this: Your application knows the ca-root-certificate or of an sub-ca (so this is quite often the self-signed public key of the root-ca) A certificate is a signed public key of a key pair which consists of a public and private key. The signing is done with the private key of the root-ca/sub-ca depending on installation, usually the sub-ca. If an application has the certificate of the root-ca it can then check through the chain of ca-certificates, if any certificate supplied is signed by the root-ca or sub-ca and deny or allow access. Since a certificate is valid for a specific time and there are cases when an access should be denied to such an valid certificate there are several options to cope with those situations. There is a thing called: crl - certificate revocation list. This list is issued by the ca and contains those certificates that may be still valid in terms of time but are revoked for another reason. Ownler left organization, private key lost/stolen (or the card it is on) and so on. Such a list is usually valid for a certain ammount of time defined in the organizational security policies. But usually issued imidiatly after a new cert is added to it. So the application usually has the ca-certificate and the crl and checks both. The application tries to check if there is a new crl available but uses the one it hase as long it is valid. If its not valid anymore (the crl) the application denies access to the service for all certificates or works with the old one, this is also up to the policies... A crl has a problem and that's the time between a valid certificate isn't allowed to access a service anymore and the time it takes to process this case and issue a new crl and let the application fetch it or push it to it but this depends on the needs and policies too. Therefore is a second approach which is online based check of validity and a protocoll called ocsp for that. But this needs to be the ocsp-responder to be available always and so on. In this case the application wouldn't check the crl but ask the ocsp-responder if a certain certificate is still valid or not. Kind Regards Ives ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
