On Tue, Nov 22, 2005 at 09:14:58AM -0000, Mark wrote: > I'm still not sure what these files are for. I guess that the > nuckey.pem > is a private key (does this need loading with > SSL_CTX_use_certificate_chain_file?). > I guess the nucreq.pem is the public key which requires signing. Do I > need to sign only this?
There are two halves to the keys. The client (lets call him Fred) generates a public and a private half. The public half gets added into the certificate request. That request gets turned into a certificate (lets call it the "client certificate") by using the private key of the cert authority. The public half of the cert auth key is publicly available in their "self signed" root certificate. Hence you can look at a certificate, and if you trust the root cert (which you have to) you now know that that certificate was issued by them (because only they have their private key to sign it with). Knowing that their public key is definitely theirs, you now know that the "client certificate" really does contain a public key matching the details listed for it. So you're now sure that you have Fred's public key. How do you know that the person giving you Fred's certificate is Fred? After all, certificates are easy to copy. This is where Fred's private key comes in. Only Fred has it. You now KNOW you have Fred's public key, so Fred can encrypt something using his private key and if the certificate's public key decodes it... the person HAS to have Fred's private key. All you can assume from that is that he's Fred. > The application is not web based. We have already developed a server > application which uses a propriatory protocol over tcp/ip. We have > also developed a companion client API (which our clients use). Now > we have the requirement to secure this communication channel hence > the adoption of OpenSSL. This is what we're doing as well. We're signing the certificates for users. They call up the servers and present a certificate which authorises them. The root certificate is stored on the servers, and the fingerprint of it is stored in custom silicon (so no-one can change the entire heirarchy). This is because some of the systems are not online and hence can't "call home" to check they have the correct root CA and one concern is physical subversion of the CA cert stored on the server's hard drive (both the users and the servers are out of our physical control, in essence). The user certificates contain a list of servers they're allowed to access, along with which IPs they can do it from (so that stealing a copy of the certificate AND the private key won't let you access a server illicitly). ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
