Thanks Arno :)

-daniel

-----Original Message----- From: Arno Garrels Sent: Wednesday, June 15, 2011 3:40 PM To: ICS support mailing Subject: Re: [twsocket] SSL server and CLient cert.
Arno Garrels wrote:
daniel cc wrote:
Hi Arno,
Thanks for the response.
Yes I do understand but,
looks like, I can't explain correctly.

My point is,
If I buy a certificate for the server,
I need to connect more than 5 clients to the same server.
Does this mean, I need to have 5 certificate or can I use 1
certificate which has 5 keys?

Clients do not need a certificate (and key) to be able to
connect to a SSL server.

Provided the server DOES NOT enforce client certificates
(as the German tax office server does).
Most servers don't. It is on your side how you set up the server.

And if you want client certificates do that with your own
CA, but do never ever send keys over the internet.
The client has to generate his private key locally and use
that to sign a certificate request. The certificate request
can be sent to the CA that will create the client certificate
and send it to the client. See OverbyteIcsX509Utils.pas
for a simple Delphi function to generate a key and a certificate request.

BTW: When you order a commercial certificate the key and certificate request are either created by an ActiveX or Java
browser plugin.

--
Arno Garrels




I hope it is clear this time..

Thanks

-----Original Message-----
From: Arno Garrels
Sent: Wednesday, June 15, 2011 1:55 PM
To: ICS support mailing
Subject: Re: [twsocket] SSL server and CLient cert.

daniel cc wrote:
Thanks again,
can you please clear a bit up,
I understand the server certification but,

Do you realy?

where do I get the client key which is that PEM file?

Do you need/want client certificates? If so, the server
will have to verify client certificates during the SSL handshake
process.

Is it delivered with the certificate or should I buy that
separately?

When you order a SSL certificate a matching key is created,
you always get a key along with your certificate otherwise a
certificate was useless.

Usually you buy a SSL server certificate. Its common name field is
the DNS name of the server. i.e. to smtp.gmail.com or
www.microsoft.com.

If clients may connect from dynamic IP addresses a certificate
can neither be issued to an IP nor to a DNS name, hence rather
useless. In such case a good password is as secure as a client
certificate that i.e. has some ID in it's common name field.
And if both clients and server are under your control it is
not required to buy a certificate, just create your own CA
and certificates (server and client if you like).

--
Arno Garrels

--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Reply via email to