Re: [ssl-users] Using SSLeay for S/MIME and SSL client certificates

Sun, 24 May 1998 13:58:45 -0400 

Nicko van Someren wrote:
> 
> I want to use SSLeay's CA facilities it make certificates for Netscape
> Communicator 4 users.  I need to make certificates for both S/MIME and
> for SSL client operation.  I have a couple of questions about this
> which I am hoping people on this list might be able to help with.
> 
> The first question is how does Netscape expect the user's private keys
> to be generated?  I can't find an option in Communicator that makes it
> create a new key.  Is it expected that the CA will make the key for
> the user?  This has hideous security and privacy implications.

The Netscape browser will generate its own key pair upon SUBMIT
of an HTML form with the KEYGEN tag in it.  Only the public key is
submitted.

It is submitted as a base64-encoding of the DER encoding of
a SubjectPublicKeyAndChallenge structure.   There is code in
the SSLeay package supporting decoding 
this format.

> 
> Secondly, can someone advise as to the format and MIME type the
> certificate files should take?  I am expecting they will be in DER
> format as this is the way Communicator swallows server and CA
> certificates but usually you have to provide a specific MIME type and
> I don't know how to type them.  I guess if the key is being created
> externally I need to know the answer to this question for the key
> files too.

The browser will accept certificates matching private keys that
IT OWNS under the mime-type "application/x-x509-user-cert" and one
of a number of content formats. (See reference below).

It will accept certificates for OTHER email correspondents (for
which it needs the public key) under the mime type
"application/x-x509-email-cert" and the same set of content
formats.

For further information on all of these topics consult
http://home.netscape.com/eng/security/certs.html

Follow the links labelled Key Generation and
Certificate Download Formats.

--a.


-- 
Anil R. Gangolli
Structured Arts Computing Corp.
http://www.StructuredArts.com
mailto:[EMAIL PROTECTED]
+-------------------------------------------------------------------------+
| Administrative requests should be sent to [EMAIL PROTECTED] |
| List service provided by Open Software Associates, http://www.osa.com/  |
+-------------------------------------------------------------------------+

Reply via email to