Mark wrote:
Hi,The following command seems to create a new public and private key:# openssl req -newkey rsa:1024 -keyout nuckey.pem -keyform PEM -out nucreq.pem -nodes -outform PEM What are these key files for?I'm still not sure what these files are for. I guess that thenuckey.pem is a private key (does this need loading withSSL_CTX_use_certificate_chain_file?).
It needs loading with SSL_CTX_use_PrivateKey()... SSL_CTX_use_certificate_chain_file() loads the CA certificates that issued your server certificate...
I guess the nucreq.pem is the public key which requires signing. Do I need to sign only this?
Somehow you have to turn this request in an certificate. So you need to sign it...
I was trying to create a certificate for the server in the above line :-) Is the procedure the same for a client? I would have thought some of it must be done on the client otherwise where would the client's private key reside?
There you have a small problem: In client authentication the server sends a list of CA certificate DNs it will accept as signer for client certificates... I don't know if self signed client certificates will work with this... (could be, because the client certs have them self as issuer) On the client you generate a client private key and a request. This request you turn into a certificate. (you can also use the -x509 option in openssl req to output a self signed certificate) Now you must somehow make sure that the server has access to the certificate that issued the client certificate: Either by transporting the clients CA certificate to the server (in self signed client certs the client cert)or by transporting the client request to your CA and have it signed there (and transport the client cert back to the client).
What really confuses me is the examples I have seen which seem to all be different. Many seem to concatenate certificate or key files and I don't know why and whether I should be doing this.
Some programs / examples expect the private key to be in the same file than the certificate. This has the advantage to keep both data's at the same place but the big disadvantage to have the data that must be private in the same place than the data that must be public... Bye Goetz -- DMCA: The greed of the few outweighs the freedom of the many
smime.p7s
Description: S/MIME Cryptographic Signature
