l Burnerheimerton wrote:
[...] Ted - many thanks for your help. Just so I understand correctly, I generate a private key certificate using openssl to export it to a file that would then be imported into a browser.I can then use that server key to encrypt data that only those users for whom I have generated, and they have installed, a private certificate can decrypt. Is that right?
Hmm, I'm not sure if we are really talking about the same thing...A client certificate used in a browser application is for authentication, so the server knows whom it is talking to. If the server uses HTTPS and only accepts connections from users who can authenticate with a certain kind of certificate (like those which were generated by your own CA) the result is, that someone, who does not have a cert, cannot "talk" with the server. Independent from a client certificate HTTPS assures that only the current user can decrypt the data sent by the server to him/her. If I understood you right this satisfies your needs, although your description is (technically) not exactly correct.
Back to the procedure you need.First of all you'l have to set up a CA. One of many descriptions for this can be found in http://sial.org/howto/openssl/ca/ (top hit of a google search after "setup openssl ca"). Just check that your openssl contains "nsCertType = client, email" and "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" for the certificates you are generating.
Certificate generation is also described there, if you don't find better information on how to create keys and CSR http://www.openssl.org/docs/apps/req.html may help you.
So let's assume you have set up the CA, your private key is in the file privkey.pem and mycert.pem contains your certificate. Then the following command should generate a PKCS#12 file mydata.p12 which can be imported by Mozilla and IE (I've tested with Firefox):
openssl pkcs12 -export -out mydata.p12 -inkey privkey.pem -in mycert.pemTo use the keys you'll probably also have to import your CA's cert into the browser and trust it to identify web sites and mail users. Note that this can be quite dangerous (from a security viewpoint) in a production environment if your CA's private key is not properly secured...
Hope it helps. Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
smime.p7s
Description: S/MIME Cryptographic Signature
