On Thu, 2009-02-05 at 17:01 +0300, mb0 wrote: > 1. can it be self-signed root certificate? > it can be either a root certificate or a certificate signed by a CA. The certificate structure is the same, the meaning is different.
When the server receive the certificate, it has to verify it. If it is self-signed, it must have a copy of that certificate stored somewhere. So, if you plan to have many clients, you should copy all their certificates somewhere in the server storage... this does not scale. A better approach is to create a CA, save only its certificate on the server, and let any client have a certificate issued by that CA. > 2. what options of openssl must i use so that Internet Explorer could > import it? > already replied. > 3. if no client certificate is used, how SSL handshake happens? what > certificate/private ey is used on the client side? > TLS/SSL support server authentication or mutual (i.e. client+server) authentication. With server only authentication, client and server agree on a pre-master secret (which is symmetric key), then they compute and validate a master secret, from which "application" keys are derived (for encrypting/hmac-ing the record layer messages). If client authentication is required, the client additionally digitally signs (asymmetric crypto) a particular piece of data. Almost nothing changes in the agreement of the pre-master secret. So, if you don't use client auth, no client private key is used. bye! -- Emanuele Cesena <emanuele.ces...@gmail.com> http://ecesena.dyndns.org Il corpo non ha ideali ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
