Hi, I am trying to add SSL to a propriatory tcp/ip application. I am reasonably confident in the programming side but I am utterly confused with regards to certificates. The more I read about this the more confused I get :-(
I hope someone can help me understand how to set things up. We have a client server application which we wish to secure. As there are only a few clients I think we can act as the CA. I have followed the examples in the Book "Network Security with OpenSSL" but do not understand what all the files I have created are for. I would be grateful for some assistance and hopefully I will soon understand things enough to ask some more specific questions. TIA, Mark.
# mkdir $ROOT_DIR # cd $ROOT_DIR # mkdir certs private # chmod g-rwx,o-rwx private # echo 01 > serial # touch index.txt Contents of file $ROOT_DIR/openssl.cnf..... ------------------------------------------------------------------------------------------------- [ca ] default_ca = testca [ testca ] dir = /webserver/opt/testca certificate = $dir/cacert.pem database = $dir/index.txt new_certs_dir = $dir/certs private_key = $dir/private/cakey.pem serial = $dir/serial default_crl_days = 7 default_days = 365 default_md = md5 policy = testca_policy x509_extensions = certificate_extensions [ testca_policy ] commonName = supplied stateOrProvinceName = supplied countryName = supplied emailAddress = supplied organizationName = supplied organizationalUnitName = optional [ certificate_extensions ] basicConstraints = CA:false [ req ] default_bits = 2048 default_keyfile = /webserver/opt/testca/private/cakey.pem # Must use full path! default_md = md5 prompt = no distinguished_name = root_ca_distinguished_name x509_extensions = root_ca_extensions [ root_ca_distinguished_name ] commonName = test Test stateOrProvinceName = test countryName = CH emailAddress = [EMAIL PROTECTED] organizationName = Root Certification Authority [ root_ca_extensions ] basicConstraints = CA:true ------------------------------------------------------------------------------------------------- # OPENSSL_CONF=${ROOT_DIR}/openssl.cnf # cd $ROOT_DIR # openssl req x509 newkey rsa:2048 out cacert.pem outform PEM nodes # cd $ROOT_DIR # unsetenv OPENSSL_CONF # openssl req -newkey rsa:1024 -keyout nuckey.pem -keyform PEM -out nucreq.pem -nodes -outform PEM # setenv OPENSSL_CONF $ROOT_DIR/openssl.cnf # openssl ca -in nucreq.pem