> 1. Is there a way I can get rid of those certifcates at all and still
> use openssl, this would give me the advantage that I don't implement
> stuff in our software that we don't need nor use and hence cannot
> cause bugs or support problems.
I assume you wish to create a secure (but unauthenicated) channel to
your server with https and then let the admin of the server send his pwd
over this channel thereby establishing a secure and authenticated
channel between the server and the admin. To me it sounds like all you
have to do is:
1a) if writing your own client, create a root-cert and include it with
the client. Then create a server-cert signed by the pkey in the
root-cert.
1b) if using abrowser buy a server-cert from verisign (or similar).
1c) if using a browser and having few admin-clients, let them install
your own root-cert into their browser (they download it from the server
and verify the fingerprint ofband, ie compare it with a piece of paper
posted to them). (root-cert created like in 1a).
2) use openssl on the server (and in 1a on the client) - side to create
the secure but unauthenicated https channel.
3) implement the pwd system you want on the server side.
Not many certs are involved, a root-cert + a server cert for each server
to be administrated.
using anonymous https is pointless, since it jeopardizes (how do you
spell this? :-) the admin-pwds.
sorry, dont know mac-ish issues.
--
------------------------------------------------------
Douglas Wikström <[EMAIL PROTECTED]>
------------------------------------------------------
Yes, God created Man before Woman,
but one always makes a draft before the masterpiece.
------------------------------------------------------
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
