Hi All I just subscribed to this list.
I have some familiarity with openssl having used it to generate self signed keys for testing secured web applications (on Apache 2.2), prior to deployment, at which time my colleagues would buy a server certificate from one of the usual CAs, such as GoDaddy. Now, I am looking to do something a little different. First, I set up several Linux virtual machines using Oracle's VirtualBox (nice product BTW)., and installed Suse on some and Ubuntu on others. On all, I made sure that openssl was installed and up to date (at least as far as the repositories for Suse and Ubuntu are concerned). I then went exploring, and in /etc/ssl/ I found a configuration file for openssl. I tried reading it, but the comments relied heavily on jargon that most of you take for granted. But since I am just beginning to study this, it might as well have been in Swahili for allt he good it did me; and the available documentation is a bit too terse for me to be able to use it to fill in the gaps. I am hoping that one of you kind souls would direct me to a few good web resources on which all your jargon is explained/defined, ideally in standard English. I am also hoping that in describing what I want to do, one or more of you would point me to good documentation on how to get it done. Note, Ialthough I am a programmer (using C++, Perl and Javascript - mostly Peerl and C++), I am content to use openssl as installed on the Linux distros, and don't really want to recompile it unless absolutely necessary. Here is the objective (mostly dealing with client certificates). As I understand it, one can have a CA that handles issuing certificates and a RA, or registration authority, that is responsible for verifying the identity of the person or corporation that is receiving a certificate; and I understand that most commercial 'CA's combine the two functions into a single corporate entity. But, I want to set up a CA for a company, and then set up an RA for each department (so that the department managers can worry about verifying the identities of their own staff, perhaps in collaboration with their human resources department, and selected outsiders (such as preferred customers, contractors, suppliers, &c.). I want to set up a simple, secure website that users (intended recipients) access using ccredentials I provide, including a single user password. After login, the user would be presented with a series of challenges and the responses would be checked against what the user had presented to the RA that passed the credials I created to the user (each RA would access the DB containing user data through a separate website, in order to enter the required data for each person to whom he wants a client certificate issued). Once the identity of the user is verified, the web site would take the user through the process of creating the client certificate and key. I am unclear as to how this can happen on the client side and the resulting certificate still be signed on the servr by my CA. Also, it is unclear to me how I can configure these certificates so that they can a) authenticate the user to a secure server, b) encrypt documents passed between the client and server, and c) sign encrypted documents. Also, I understand that the different browsers support different methods for creating client certificates, so I'd appreciate a pointer to Javascript code that automagically uses the right procedure for whatever browser the client is using. I do not want to be dictating to the user where or when he gets his client certificate or what browser he should use. If there is a repository of javascript code that can run once the certificate has been created and installed inthe browser that handles installing it also in whatever email client the user is using, as well as making a proper backup (e.g. to a USB memory stick, so that if anything happens to his computer, he can restore it all once his computer issues are resolved. In breif, I want to make things as easy as possible for the end users. Now, I envision a website for each department, to which only those users who have certificates authorized by the RA in that department can access, and another that provides access as long as he, or raher his browser, presents a certificate authorized by any of the RAs iin the company (i.e. a company wide site along with departmental sites). Having worked with Apache 2.2 for quite a while, and on quite a number of secure websites, I am reasonably familiar with configuring Apache to use server certificates, but I am a little unclear on how to tell it to require certificates from a given pair of CA and RA, or a given CA in conjunction with any of a given set of RAs. I am sure there must be lots of companies that have done something like this. What I need is a pointer to documentation on how to do it, along with any accounts of the experiences of those who have done it and what gotchas to watch out for. I have been googling all this for a while, now, but it seems I must have the wrong search query as the signal to noise ratio is vanishingly small (i.e. I get plenty of noise, but little useful info). Any help you can provide would be greatly appreciated. Thanks Ted ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
