On 2006.11.10 at 13:23:48 +0000, Net Warrior wrote:
> Hi there guys.
> My question is simple, one I've created the certficates and I want to
> deploy the public key to the clients,.
> which will be he best methood to do the deployment of the cacert.pem file?
Typically one does publish cacert.pem file (or rename it to cacert.crt
or cacert.cer to make life of Windows people simpleer) on some web
server with content-type application/x-x509-ca-cert
Then users have to visit this URL with their browsers and install
certificates into browser answering few simple questions, which browser
asks automatically when seeing such content type.
If you are really paranoid, you should distribute information about
these questions (which includes certificate fingerprint) via some
offline channel, on the paper.
This procedure leaves out OpenSSL clients.
Users which visit URL with Internet Explorer, would install certificate
into Windows certificate storage, which is used by all client software
based on Microsoft CryptoAPI.
Users which visit it with Mozilla, would install it into Mozilla
certificate storage, which would be used with all Mozilla-suite
programs. (even so, with recent split of Firefox and Thunderbird into
separate package, users might have to export certificate from firefox
storage and import manually into Thunderbird one).
But OpenSSL doesn't have system-wide or user-wide mandatory certificate
storage. Every OpenSSL program can use its own way to specify
certificate. So, users would have to download pem file and manually add
it to storage of each program.
There is default storage in the ${openssldir}/certs. But users have to
place cert there by hand (and it typically requires root access) and
run c_rehash tool. As far as I'm aware, there is no OpenSSL-based
browser which allow easy installation procedure of certificates into
storage, which is accessable by other OpenSSL-based programs.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
