On 2009.05.12 at 12:36:39 -0400, Ron Gewirtzman wrote: > Hello, > > > > I was hoping you could help me. I was told by a Thawte and Verisign > representative that if we create our own certificate that we would still > need to use a "root file" is this correct.
Certificate is just public key with some identity information about owner of corresponding private key, signed with some other key. To ensure that SSL client connects to right host, it must build chain of trust from the server certificate, presented by server during handshake (handshake includes verification that server has corresponding private key) to some public key known and trusted by you system in advance. Problem is how to make user's system trust cerificate of your CA. All operating systems and some software (i.e. browsers) ship with some set of trusted root certificates. (I.e certificates which are trusted by corresponding software vendors). Typically Versign and Thawte are among those trusted authorities. You can run your own CA, but you have to have some way to distribute root (self-signed) certificate of this CA to your users, so this certificate would be trusted by their software before software attempts to connect your site. If you are distributing your own client software, you can just include certificate of your CA into distribution of this software (and may be take neccessary actions during installation procedure to install this certificate into system trusted certificate store. This is not neccessary if your client software uses OpenSSL. You can just configure openssl-based software to search for trusted certificate where you put it). If people use standard software (i.e. browsers) to connect to your site, you can tell them to download and install your CA certificate separately, before they try to establish secure connection to your site. This procedure is relatively easy. Typically it requires few clicks in dialog windows. By doing these clicks your users tell their software that it is certificate, trusted by them, not by some software vendor. There can be some problems with mobile equipment such as smartphones. These things are designed so they don't trust their owner, only their vendor. Also you can run secondary CA, i.e. CA which signs certificates with key which has public part signed by some other CA (such as Thawte), which is trusted by software vendors. Typically public CAs charge much more for secondary CA certificate than for individual server or person certificate. In this case client software has to obtain secondary CA certificate before it can build trust chain from your server certificate (presented during handshake) to trusted CA certificate which was shipped with their system. It is possible to present this secondary CA certificate during handshake along with server certifiacate. You don't need any software except openssl itself to run your own CA, either with selfsigned root cert or secondary. > > > Would you recommend using open source SSL for store front security and is > this something a beginning developer could do? > > > > Thank you, > > Ron Gewirtzman ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
