Mark, I am assuming that you are aware of the need for certificates (need for public key Cryptography).
Now reg ur query on creating those files to set up a CA, the need for a CA (in u r client server arch and very simple terms) is to provide all the clients with some credentials that will provide a level of trust for the server when a communication channel is to be established and vice versa if we need client authentication. For this to happen all the clients must have some credentials (which is the certificate signed by the CA). This is in general about the need for a CA. Now the different files u need to create for setting up the CA, dir = /webserver/opt/testca The dir where u want all the details regarding this ca will be stored... certificate = $dir/cacert.pem Every client or a server can be identified using the certificate provided by that machine/user. A certificate will contain two parts public and private keys, as the name implies the public can be provided to anyone and the private should be kept confidential. Here the CA must have these keys setup before they could be used as a CA. The file created here is the ca's public key (public certificate). The pem is the file format. database = $dir/index.txt This is for the CA to keep a track of all the entities who has requested CA for the service and who the CA has provided the service. In here the CA will contain all the clients that they have certified ( certification is the process of signing the public key with the CA's private key.. Just to provide a trust to other 3rd party tat CA has validated the credentials provided by this entity and is trustworthy... ) new_certs_dir = $dir/certs This dir will contain the list of public keys that this CA has certified. In your case this will contain all the public key (public certificate) of u r clients .. private_key = $dir/private/cakey.pem This file will contain the private key corresponding to the cacert.pem file. (this is the ca's private key) serial = $dir/serial Every certificate which CA sign's must have a serial number for the CA to validate any details in future.. This file is created with some values normally 01. which is like the starting number for the serial numbers. The serial number gets incremented as and when u use this ca to sign certificate for u r clients. And each clients are identified by the serial number by the CA. I could keep explaining on and on ... But I will leave it now and wait for u to come back with more specific doubts... Hope this helped.. Cheers, Dinesh Kallath -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Sent: 21 November 2005 15:25 To: openssl-users@openssl.org Subject: Certificates Hi, I am trying to add SSL to a propriatory tcp/ip application. I am reasonably confident in the programming side but I am utterly confused with regards to certificates. The more I read about this the more confused I get :-( I hope someone can help me understand how to set things up. We have a client server application which we wish to secure. As there are only a few clients I think we can act as the CA. I have followed the examples in the Book "Network Security with OpenSSL" but do not understand what all the files I have created are for. I would be grateful for some assistance and hopefully I will soon understand things enough to ask some more specific questions. TIA, Mark. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
