Certificates are a lot like pgp keys with one difference the public key
has be wrapped with the Public Key infrastructure (PKI). So a public
cert will not only contain the public key but it will also contain
information about what the key can be used for (signing, encrypting,
server, client, CA signing, etc..... ) who it was issued to and what CA
signed it (issue DN) it.
If you are going to build a client server application you I am guessing
you will want at lest 3 certificates.
CA - ( self sigen cert )
Client - ( certificate request signed by CA )
Server - ( certificate request signed by CA )
The certificate request is the public key and other information about
the uses (subject DN, etc ...) that gets signed by the CA. After it is
signed by the CA it is a PKI public cert.
Hope this helps a little.
Perry
Mark wrote:
Hi,
I am trying to add SSL to a propriatory tcp/ip application. I am
reasonably confident in the programming side but I am utterly confused
with regards to certificates. The more I read about this the more
confused I get :-(
I hope someone can help me understand how to set things up.
We have a client server application which we wish to secure. As there
are only
a few clients I think we can act as the CA. I have followed the
examples in
the Book "Network Security with OpenSSL" but do not understand what all
the files
I have created are for.
I would be grateful for some assistance and hopefully I will soon
understand things enough to ask some more specific questions.
TIA, Mark.
------------------------------------------------------------------------
# mkdir $ROOT_DIR
# cd $ROOT_DIR
# mkdir certs private
# chmod g-rwx,o-rwx private
# echo ‘01’ > serial
# touch index.txt
Contents of file $ROOT_DIR/openssl.cnf.....
-------------------------------------------------------------------------------------------------
[ca ]
default_ca = testca
[ testca ]
dir = /webserver/opt/testca
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial
default_crl_days = 7
default_days = 365
default_md = md5
policy = testca_policy
x509_extensions = certificate_extensions
[ testca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = supplied
emailAddress = supplied
organizationName = supplied
organizationalUnitName = optional
[ certificate_extensions ]
basicConstraints = CA:false
[ req ]
default_bits = 2048
default_keyfile = /webserver/opt/testca/private/cakey.pem # Must use
full path!
default_md = md5
prompt = no
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
[ root_ca_distinguished_name ]
commonName = test Test
stateOrProvinceName = test
countryName = CH
emailAddress = [EMAIL PROTECTED]
organizationName = Root Certification Authority
[ root_ca_extensions ]
basicConstraints = CA:true
-------------------------------------------------------------------------------------------------
# OPENSSL_CONF=${ROOT_DIR}/openssl.cnf
# cd $ROOT_DIR
# openssl req –x509 –newkey rsa:2048 –out cacert.pem –outform PEM –nodes
# cd $ROOT_DIR
# unsetenv OPENSSL_CONF
# openssl req -newkey rsa:1024 -keyout nuckey.pem -keyform PEM -out nucreq.pem
-nodes -outform PEM
# setenv OPENSSL_CONF $ROOT_DIR/openssl.cnf
# openssl ca -in nucreq.pem
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]