Greetings,
Hopefully someone has a good direction for me, and I've spent the last few
days rtfming and scouring the last 6 months of the mailing list archives.
I'd like to store OpenSSL generated certificates on some smartcards, but in
order for that to work properly, I need to be able to put the cert on the
smartcard utilizing the card manufacturer's Cryprographic Service Provider
(CSP) (For example, Schlumberger CSP or GemPLUS CSP) instead of using the
Microsoft Base Cryptographic Provider which is the default generally. If you
apply for a VeriSign personal certificate, you are able to choose what type
of CSP the cert should work with, and then using some ActiveX or Javascript/
Java Applet, it generates a cert request using the proper CSP. Then you
install your cert via the CSP also. Hence, this is all web-based.
There are some low-level utilities that allow direct cert transfer onto a
smartcard, but this avoids the system footprinting in the registry so that
your system is aware that the specific cert is located on a card. This is a
problem ofcourse.
So, since Apache with OpenSSL hasn't entirely reached the capabilities of
targetting a specific CSP (if I understand right, the CSP is communicated
through ActiveX (or something equivalent) and is not a parameter of the
certificate itself), I thought about using the Microsoft Certificate
Authority to generate and install the certs onto some smartcards. So far,
that works fine, but I have not been able to use these certs with
Apache/OpenSSL. Do I need to sign the certs with something from OpenSSL? Or
possibly do I need to generate a web server cert from Microsoft CA for the
Apache server? Will that even work? Might I need to convert the style of
cert over to a regular x.509 der? I'm still slightly confused of the
differences between an OpenSSL generated certificate, and a Microsoft CA
certificate.
Lastly, might I need to configure httpd.conf in a certain way to accept a
Microsoft CA cert?
While the first scenario is more welcomed because I am able to stick with an
Apache and OpenSSL environment only, I could live with the second scenario
until OpenSSL has matured to using CSPs.
Regards,
Kevin Elliott
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
