Hi, > >>> # openssl req -newkey rsa:1024 -keyout nuckey.pem > >>> -keyform PEM -out nucreq.pem -nodes -outform PEM > >>> > >>> What are these key files for? > > > > I'm still not sure what these files are for. I guess that the > > nuckey.pem is a private key (does this need loading with > > SSL_CTX_use_certificate_chain_file?). > > It needs loading with SSL_CTX_use_PrivateKey()...
Thanks. I was actually trying to load the private key of the root certificate here. > SSL_CTX_use_certificate_chain_file() loads the CA certificates > that issued your server certificate... In my case is that the self-signed root certificate? > > I guess the nucreq.pem is the public key which requires > > signing. Do I need to sign only this? > Somehow you have to turn this request in an certificate. > So you need to sign it... > > > I was trying to create a certificate for the server in the > > above line :-) > > Is the procedure the same for a client? I would have > > thought some of > > it must be done on the client otherwise where would the client's > > private key reside? > > There you have a small problem: > In client authentication the server sends a list of CA certificate DNs > it will accept as signer for client certificates... Is this done automatically in SSL_accept()? > I don't know if self signed client certificates will work with this... > (could be, because the client certs have them self as issuer) > > On the client you generate a client private key and a request. > This request you turn into a certificate. > (you can also use the -x509 option in openssl req to output a self > signed certificate) > Now you must somehow make sure that the server has access to the > certificate that issued the client certificate: > Either by transporting the clients CA certificate to the server > (in self signed client certs the client cert) > or by transporting the client request to your CA and have it signed > there (and transport the client cert back to the client). I think the latter would suffice since we want to retain control. It does seem rather cumbersome though. > > What really confuses me is the examples I have seen which seem to > > all be different. Many seem to concatenate certificate or key files > > and I don't know why and whether I should be doing this. > > Some programs / examples expect the private key to be in the same > file than the certificate. > This has the advantage to keep both data's at the same place > but the big disadvantage to have the data that must be private > in the same place than the data that must be public... Yes. That seems very odd to me! Thanks for the help. Regards, Mark ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
