Re: a simple ca question
Bernhard Froehlich wrote: Chong Peng wrote: guys: how to tell a root certificate from a non-root certificate? i sthere a field in x509 structure for us to tell? thanks. Root certificates are self signed, that is the issuer equals the subject in the certificate. AND the signature can be verified using the public key in that certificate. Hope it helps, Ted ;) -- To verify the signature, see http://edelpki.edelweb.fr/ Cela vous permet de charger le certificat de l'autorité; die Liste mit zurückgerufenen Zertifikaten finden Sie da auch. smime.p7s Description: S/MIME Cryptographic Signature
Re: a simple ca question
Chong Peng wrote: guys: how to tell a root certificate from a non-root certificate? i sthere a field in x509 structure for us to tell? thanks. Root certificates are self signed, that is the issuer equals the subject in the certificate. Hope it helps, Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
RE: a simple ca question
thanks for the reply. so that can i say that if a certificate is self signed, then it is a root certificate. how do i know a certificate is self signed? another question is that, for example, if i want to use a self-signed certificate as my server certificate, so that during the ssl handshake phase, this self-signed certificate is going to be sent from the server to the client. to verify this self-signed certificate, what the client is suppose to do? to be specific, do i have to independently distribute this self-signed certicate to the client before the ssl handshake? thanks. chong peng -Original Message- From: Bernhard Froehlich [mailto:[EMAIL PROTECTED] Sent: Saturday, October 14, 2006 1:10 PM To: openssl-users@openssl.org Subject: Re: a simple ca question Chong Peng wrote: guys: how to tell a root certificate from a non-root certificate? i sthere a field in x509 structure for us to tell? thanks. Root certificates are self signed, that is the issuer equals the subject in the certificate. Hope it helps, Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: a simple ca question
Chong Peng schrieb: thanks for the reply. so that can i say that if a certificate is self signed, then it is a root certificate. I'm not really sure if the definition of a root certificate also assumes that the CA basic constraint is also set, which would allow the certificate to be used as a CA certificate (that is, to sign other certificates)... how do i know a certificate is self signed? Compare the issuer field of the certificate with the subject field. If they are equal the certificate is self signed. another question is that, for example, if i want to use a self-signed certificate as my server certificate, so that during the ssl handshake phase, this self-signed certificate is going to be sent from the server to the client. to verify this self-signed certificate, what the client is suppose to do? to be specific, do i have to independently distribute this self-signed certicate to the client before the ssl handshake? As always, that depends... ;) I'll assume that your clients are standard browsers. Then you can realize this by installing your certificate into the client user's browser. This is typically done by distributing the certificate independently. Another possibility is, tell your client users the fingerprint of your certificate (preferably using a secure channel like paper mail or telephone) and tell them to check the fingerprint when accessing your site the first time, since the browser will then complain about an unknown certificate. If the fingerprint is correct, browsers offer an option to trust this certificate in the future. Obviously the second way is easier for you but more difficult for your client users, especially if they are not computer freaks... Hope it helps, Ted ;) smime.p7s Description: S/MIME Cryptographic Signature