Hello all, I'm writing an app that encrypts real-time communications between two people, so I thought that I would use X.509 certificates so that if the user already has some certificates used by their email program, then my prog could just use them. I figured this would cut down on session negotiation time since DSA_generate_parameters() at higher key sizes produces 30 seconds or more of thumb-twidling even when running on my dual P3-450 with 640MB ram. I'd hate to think how long it would take on a closer to average desktop like P2-333 with only 64MB or 32MB. :-(
Anyways, just to familiarize myself with OpenSSL's certificate handling routines, I decided to write a mini certificate manager program. I can create certificates and certificate requests that appear to be the same as ones generated by using openssl req/x509 (using openssl req/x509 -noout -text to compare), but I am not complete sure as to some things. If somebody could answer the questions I have listed below or point me to some website with answers, I would really appreciate it! I could definately use some sort of primer, "Introduction to X.509 Certificates and Public Key Cryptography for the Experienced Programmer" or the like. :-) 1) When doing openssl req -x509, am I correct in assuming that the output is a self-signed certificate? I am mildy confused about this since I thought that openssl req is for making certificate signing requests (CSRs) - are there some certifcate authorities (CAs) that take a straight X.509 certificates and work on them, or is this just a usability enhancement for making self-signed certificates? 2) When making a CSR, what is the challengePassword attribute used for? Is it a must have for any CSR to send in to a CA? 3) When making a (self-signed) certificate, what exactly are the X509v3 extensions subjectKeyIdentifier and authorityKeyIdenfier for? Am I right in assuming that when merely using a certificate as a handy method of storing public keys these extensions aren't really necessary? And that they would be added by a CA when processing a CSR and then they are both used in verification of the certificate via OCSP or whatever method? IOW, for a self-signed certificate, subjectKeyIdentifier and authorityKeyIdenfier are basically superfluous/useless because the average person is not going to have some kind of verification server running? 4) When making a self-signed certificate, what is the X509v3 extension basicConstraints used for? Doing openssl req -x509 sets it to "CA:TRUE", but in the default openssl.cnf in the usr_cert section it is "CA:FALSE". Is this because in a self-signed certificate the person is essentially acting as their own CA and this would be the root certificate for that CA? And when processing a CSR, the CA will add basicContraints="CA:FALSE" to the output certificate? 5) Somewhere I stumbled across that only the root certificate of a CA should have a serial number of 0. Is this why when doing openssl req -x509 for a self-signed certificate the serial number is set to 0 because the person is essentially their own CA (as in #4 above)? So then is the serial number intended to be something that is uniquely generated for each certificate by a CA? Thanks in advance to anybody who can answer my questions or direct me to an approriate website. __________________________________________________ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
