Re: Certificates

Goetz Babin-Ebell Wed, 23 Nov 2005 13:34:58 -0800

Mark wrote:

Hi,

Hello,

# openssl req -newkey rsa:1024 -keyout nuckey.pem -keyform PEM -out nucreq.pem -nodes -outform PEM
What are these key files for?
I'm still not sure what these files are for.  I guess that the
nuckey.pem is a private key (does this need loading with
SSL_CTX_use_certificate_chain_file?).

It needs loading with SSL_CTX_use_PrivateKey()...


Thanks.  I was actually trying to load the private key of the root
certificate here.


This is only good if the root key is identical to your server key.
(Normally the root key is not available on the server ;-) )

SSL_CTX_use_certificate_chain_file() loads the CA certificates
that issued your server certificate...


In my case is that the self-signed root certificate?


Yes.
And using an self signed certificate you really don't need
this function:
It is for loading CA certificates that are between the
server cert and the root cert:

root -> CA -> .. -> server

You load the server cert with SSL_CTX_use_certificate_file()
and the CA... certs with SSL_CTX_use_certificate_chain_file()
Normally you don't have to load the root because the
client has to have the root cert to verify the chain...

I was trying to create a certificate for the server in the above line :-) Is the procedure the same for a client? I would have thought some of
it must be done on the client otherwise where would the client's
private key reside?
There you have a small problem:
In client authentication the server sends a list of CA certificate DNs
it will accept as signer for client certificates...
Is this done automatically in SSL_accept()?


If the server has a list of accepted client CA certs and
sets the flags
SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT|SSL_VERIFY_CLIENT_ONCE
in his SSL_CTX_set_verify(),
handshake fails if the client has no cert signed by a CA
the server set as trusted...

Now you must somehow make sure that the server has access to the
certificate that issued the client certificate:
Either by transporting the clients CA certificate to the server
(in self signed client certs the client cert)
or by transporting the client request to your CA and have it signed there (and transport the client cert back to the client).


I think the latter would suffice since we want to retain control.
It does seem rather cumbersome though.


in OPENSSL_DIR/ssl/misc is a demo script that does something like
a very small and dump CA...

Bye

Goetz

--
DMCA: The greed of the few outweighs the freedom of the many

smime.p7s
Description: S/MIME Cryptographic Signature

Re: Certificates

Reply via email to