> pairs for client authentification in SSL applications.Hi, Can someone guide me how to generate certificate and key
First, are you really sure that this is what you want to do?
The problem with client certificates is that they tie the client down to a specific workstation machine, which has the private key and certificate in its file system, unless the user carries her crypto material around in a USB key fob or a smart card. Unless you really need the highest level of security and people are going to carry multiple factor crypto material around with them, you're probably better off using a server certificate to secure the connection, then using something like a password to authenticate the actual user.
It's just too damn easy to break into these cheap Windows machines and steal the crypto material, and passwords dont help when the adversary can steal the encrypted file and try password a, b, .. aa, ab .. aaa, aab for hours or days or whatever until she lucks onto the password.
For example, look at today's web commerce. The commerce server machines use purchased certificates to authenticate themselves to the user (and to secure the network channel) but then the *credit card number* is how the buyer authenticates herself to the vendor. Or the growing number of "web mail" services where the server is secured by a vendor purchased certificate and the user types a password into a secured page in order to access her email.
===
Assuming this is really what you want to do, you need to have one root certificate and a client certificate for each client that is signed by it. The root certificate goes into the internet server application. The client certificates and their associated private keys go into the user machines (or smart cards or USB keyfobs or Java Buttons or whatever).
Most browsers will accept certificates that are downloaded with either x-something MIME types (Netscape/Mozilla) or specific filename extensions (Explorer). A medium security system that is often used is to have a web page that issues the certificates and downloads them after a user has authenticated herself with a more traditional form of user authentication, like her campus password.
Hope this gets you sort-of oriented. There are people on this list who are actually doing this who can supply more technical detail on request.
===
For machine-to-machine connections it is a little easier. It still makes sense to have a root, and have it sign a certificate for each machine. Just how you set it up depends on the specific software. The problem is, again, how to secure the password for the private key, given that there is typically no human being there at startup to give a password, so the adversary can, in principle, steal the entire filesystem and "trace" a startup in order to steal the crypto material.
This is probably getting beyond appropriate for an orientation.
-- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
