Certificates

[Mark]

Hi,

I am trying to add SSL to a propriatory tcp/ip application.  I am
reasonably confident in the programming side but I am utterly confused
with regards to certificates.  The more I read about this the more
confused I get :-(

I hope someone can help me understand how to set things up.

We have a client server application which we wish to secure.  As there
are only
a few clients I think we can act as the CA.  I have followed the
examples in
the Book "Network Security with OpenSSL" but do not understand what all
the files
I have created are for.

I would be grateful for some assistance and hopefully I will soon
understand things enough to ask some more specific questions.

TIA, Mark.

# mkdir $ROOT_DIR
# cd $ROOT_DIR
# mkdir certs private
# chmod g-rwx,o-rwx private
# echo ‘01’ > serial
# touch index.txt


Contents of file $ROOT_DIR/openssl.cnf.....
-------------------------------------------------------------------------------------------------

[ca ]
default_ca              = testca

[ testca ]
dir                     = /webserver/opt/testca
certificate             = $dir/cacert.pem
database                = $dir/index.txt
new_certs_dir           = $dir/certs
private_key             = $dir/private/cakey.pem
serial                  = $dir/serial

default_crl_days        = 7
default_days            = 365
default_md              = md5

policy                  = testca_policy
x509_extensions         = certificate_extensions

[ testca_policy ]
commonName              = supplied
stateOrProvinceName     = supplied
countryName             = supplied
emailAddress            = supplied
organizationName        = supplied
organizationalUnitName  = optional

[ certificate_extensions ]
basicConstraints        = CA:false

[ req ]
default_bits            = 2048
default_keyfile         = /webserver/opt/testca/private/cakey.pem # Must use 
full path!
default_md              = md5

prompt = no
distinguished_name      = root_ca_distinguished_name

x509_extensions         = root_ca_extensions

[ root_ca_distinguished_name ]
commonName              = test Test
stateOrProvinceName     = test
countryName             = CH
emailAddress            = [EMAIL PROTECTED]
organizationName        = Root Certification Authority

[ root_ca_extensions ]
basicConstraints        = CA:true

-------------------------------------------------------------------------------------------------
# OPENSSL_CONF=${ROOT_DIR}/openssl.cnf

# cd $ROOT_DIR
# openssl req –x509 –newkey rsa:2048 –out cacert.pem –outform PEM –nodes


# cd $ROOT_DIR
# unsetenv OPENSSL_CONF
# openssl req -newkey rsa:1024 -keyout nuckey.pem -keyform PEM -out nucreq.pem 
-nodes -outform PEM

# setenv OPENSSL_CONF $ROOT_DIR/openssl.cnf
# openssl ca -in nucreq.pem