Sorry. I said something stupid. You are right. Somehow I assumed that
you were also giving the client a certificate and key (these are needed
if you tell the server to do client authentication).
Andrew
Skye Poier wrote:
>
> OK this is a source of some of my confusion. I thought the client only
> needed the public key of the server, signed by the CA?
>
> Skye
>
> Word on the street is that Andrew Cooke said:
> >
> >
> > Skye Poier wrote:
> > >
> > > I think I might have it figured out.
> > >
> > > 1. Do steps at http://www.intertrader.com/library/SSLeay/no_rsa.cfm to
> > > generate DSA Certificate
> > >
> > > 2. Server side, do the equivalent of:
> > >
> > > openssl s_server -key privkey.pem -cert signed.pem -CAfile demoCA/cacert.pem
> > >
> > > 3. Client side, do the equivalent of:
> > >
> > > openssl s_client -CAfile signed.pem
> > >
> > > Is this right??? Gets so confusing after a while.
> >
> > Looks OK. Stating the obvious: you are using the same certificate for
> > both client and server. Usually, with them being on different machines,
> > they have separate certificates (and keys).
> >
> > You might also want to look at changing the settings in openssl.cnf so
> > that the CA flag is not set for client certificates.
> >
> > Andrew
> >
> >
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager [EMAIL PROTECTED]
>
> --
> Clarity of thought should be accompanied by clarity of technique - Mondriaan
> Powered by ffwd internet division [ http://www.ffwd.com/ ]
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
