Hi!
I probably have a very basic question, but I need to describe my problem
in detail to make sure everybody understands what I'm seeking for,
because I may not possibly use the correct terminology. I want to have
this kind of organizational structure (OU = Organizational Unit):
Root-CA
|
+---OU1
| +----OU1-Server-1-Key
| |
| +----OU1-Server-2-Key
| |
| +----OU1-Client-1-Key
| |
| +----OU1-Client-2-Key
| |
| +----OU1-Client-3-Key
|
+---OU2
+---- ... (and so on)
For my project I would have some dozends OUs. In this project clients
connect to servers (not http, no DNS) and transfer data over that
connection to a custom application.
Now I want the Servers (OU1-Server-n) to check the client's certificate
when a client connects to a server. Any client who is member of the same
OU should be able to connect the any of the servers of the same OU, but
not to a server of a different OU. And the clients should check that the
certificate of server-n is a valid certificate, signed by OU1's key
(or/and our root-key?). It should also be allowed that Server-1 will
connect to Server-2 (for synchronization purposes).
I tried to achieve this the following way:
Create root key
Create root certificate
Create OU1 key
Create OU1 certificate
Sign ou1's certificate with our root key.
Create OU1-Server-1-key
Create OU1-Server-1-certificate
Sign OU1-Server-1-certificate with OU1's key.
Do the last three steps for each OU1-Client-[1-n]-key
If I have made any obvious mistakes (maybe in concept), please let me
know.
I have quite a couple of files now. The main question is, which files
are now needed on the clients and which on the servers and how to
generate them from the files I have?
[Should I just copy the server's certificate into a certificate-file
which then contains the root-cert as well as the cert of OU1 and the
certs of all OU1's servers into one file and have that file on the
clients? And the same with the servers (all client-certs, OU1's certs as
well as the root-cert)? What's confusing me is that I've seen so many
files where certificates and keys are mixed up in one file. What's also
confusing me is that I've seen cert files with not only ASCII coded
binary code in it, but also with readable strings like "Issuer = ..."
mixed up. Which format can be used for certificates?]
--
Regards,
Torsten
(0>
//\
V_/_
Tolerance rocks!
---------------------------------------------------------------------
# head PCA/private/PCAkey.pem
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,abcdefghijklmnopq
1234567890abcdefghijklmnopqrstuvwxyz[modified...]
# head PCA/private/PCAcert.pem
-----BEGIN CERTIFICATE-----
MIIIEDCCBfigAwIBAgIBADANBgkqhkiG9w0BAQQFADCBqTELMAkGA1UEBhMCREUx
# grep '^---' /Server/server.pem
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
-----BEGIN X509 CERTIFICATE-----
-----END X509 CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE----- [and so on, about 50 lines]
# grep '^---' /Server/client.pem
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
