From: "Kevin Elliott" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Copies to: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Using Microsoft CA generated certificates or Accessing other
CSPs using OpenSSL generated Certificates?
Date sent: Wed, 25 Jul 2001 22:17:27 GMT
Send reply to: [EMAIL PROTECTED]
Kevin
This has nothing to do with OpenSSL. You specify the CSP when
you generate the CSR, and the associated private/public keys which
are generated on the Smart Card/USB token. Then when the
certificate has been signed by whatever (including OpenSSL) the
certificate is placed on the Smart card/USB token and all the
required entries are made within the Microsoft OS.
There are several examples on how to do this within html on the web.
The most common way is to use the software supplied by Microsoft
(free) but it can be done in several different ways, including low
level functions that can be called by "C". I can send you an
example html form that does all this if you desire. It uses an
OpenSSL backend located on UNIX (simple perl script) to sign
CSR's using a self signed CA certificate. We use this setup to
generate test certificates for all the Smart Cards/USB tokens we test
with our SecureNetTerm product. It works with all of them including
the iButton, GemPlus, Rainbow, Aladdin, Litronic and the Sony FIU-
710 fingerprint identification unit.
Ken
Greetings,
Hopefully someone has a good direction for me, and I've spent the last few
days rtfming and scouring the last 6 months of the mailing list archives.
I'd like to store OpenSSL generated certificates on some smartcards, but in
order for that to work properly, I need to be able to put the cert on the
smartcard utilizing the card manufacturer's Cryprographic Service Provider
(CSP) (For example, Schlumberger CSP or GemPLUS CSP) instead of using the
Microsoft Base Cryptographic Provider which is the default generally. If you
apply for a VeriSign personal certificate, you are able to choose what type
of CSP the cert should work with, and then using some ActiveX or Javascript/
Java Applet, it generates a cert request using the proper CSP. Then you
install your cert via the CSP also. Hence, this is all web-based.
There are some low-level utilities that allow direct cert transfer onto a
smartcard, but this avoids the system footprinting in the registry so that
your system is aware that the specific cert is located on a card. This is a
problem ofcourse.
So, since Apache with OpenSSL hasn't entirely reached the capabilities of
targetting a specific CSP (if I understand right, the CSP is communicated
through ActiveX (or something equivalent) and is not a parameter of the
certificate itself), I thought about using the Microsoft Certificate
Authority to generate and install the certs onto some smartcards. So far,
that works fine, but I have not been able to use these certs with
Apache/OpenSSL. Do I need to sign the certs with something from OpenSSL? Or
possibly do I need to generate a web server cert from Microsoft CA for the
Apache server? Will that even work? Might I need to convert the style of
cert over to a regular x.509 der? I'm still slightly confused of the
differences between an OpenSSL generated certificate, and a Microsoft CA
certificate.
Lastly, might I need to configure httpd.conf in a certain way to accept a
Microsoft CA cert?
While the first scenario is more welcomed because I am able to stick with an
Apache and OpenSSL environment only, I could live with the second scenario
until OpenSSL has matured to using CSPs.
Regards,
Kevin Elliott
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
__________________________________________________
Support
InterSoft International, Inc.
Voice: 888-823-1541, International 281-398-7060
Fax: 888-823-1542, International 281-560-9170
[EMAIL PROTECTED]
http://www.securenetterm.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
