Hi, > Now a self signed certificate is something like someone saying "I am > your Trusted Partner. You can trust me because I have a > passport which I > issued myself". You can believe in this if for example you > can check the > key's fingerprints with your partner over telephone. But if > you received > the certificate (which, by the way, contains the public keys) in an > unauthenticated eMail this eMail cold as well have been sent by your > evil adversary...
Thanks for the info. I guess a self signed certificate would be ok for us since we are developing a client-server application for which we want to control all the communications. We need to authenticate the clients and provide a secure tunnel from end to end. > >The following command seems to create a new public and private key: > > > ># openssl req -newkey rsa:1024 -keyout nuckey.pem -keyform PEM -out > >nucreq.pem -nodes -outform PEM > > > >What are these key files for? I'm still not sure what these files are for. I guess that the nuckey.pem is a private key (does this need loading with SSL_CTX_use_certificate_chain_file?). I guess the nucreq.pem is the public key which requires signing. Do I need to sign only this? > >How can I create a certificate for a client? > > > > > You described it yourself, by doing "openssl ca -in > nucreq.pem". But I > guess your problem is how to use this certificate/key in an > application > like an internet browser or mail client. If this is so there are > different ways depending on your application. You should be more > specific on your (client and server) applications... I was trying to create a certificate for the server in the above line :-) Is the procedure the same for a client? I would have thought some of it must be done on the client otherwise where would the client's private key reside? What really confuses me is the examples I have seen which seem to all be different. Many seem to concatenate certificate or key files and I don't know why and whether I should be doing this. The application is not web based. We have already developed a server application which uses a propriatory protocol over tcp/ip. We have also developed a companion client API (which our clients use). Now we have the requirement to secure this communication channel hence the adoption of OpenSSL. Cheers, Mark ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
