> I have an desktop/server agent that listen for TCP connections to > process some information. And now i´m trying to implement privacy > and authentication to this application, to unsure that only my > trusted application interact with these TCP agents.
> Another problem is that I'm not sure if It really needs a > self-signed certificate to authenticate the clients in a scenario > that is already implemented a method with fixed pair of private keys. > Someone could help me in this objective? > Examples, articles and documentations will be apreciated. Since you have complete control over both ends (right?) then you can just generate keys and certificates following any web page and then hard code each side to check for the key it's expecting from the other side. You can generate a key with 'openssl genrsa -out key.pem 1024'. You can generate a self-signed certificate by following the instructions: http://www.akadia.com/services/ssh_test_certificate.html http://sial.org/howto/openssl/self-signed/ If you are 100% sure both ends will always be trusted, you can simply include the server certificate, client certificate, and client key in the client. You include the client certificate, client key, and server certificate in the server. Then just confirm that the other side is using the proper certificate. Note that this means compromising one client compromises them all. It's more complex, but arguably, the right approach is to create your own CA. Issue a client to the server with a common name the clients check for. Issue each client its own certificate for a different key with a different common name. This will mean that compromising one client doesn't compromise them all and will also allow the server to securely determine what client it's talking to. This will also require less specialized coding, since you can simply hard code the CA's certificate in the client and server, and then they don't need any special code to recognize the clients -- just tell OpenSSL that our CA certificate is the only CA. If you choose to go that way: http://www.octaldream.com/~scottm/talks/ssl/opensslca.html http://sial.org/howto/openssl/ca/ DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
