Arno Garrels wrote: > daniel cc wrote: >> Hi Arno, >> Thanks for the response. >> Yes I do understand but, >> looks like, I can't explain correctly. >> >> My point is, >> If I buy a certificate for the server, >> I need to connect more than 5 clients to the same server. >> Does this mean, I need to have 5 certificate or can I use 1 >> certificate which has 5 keys? > > Clients do not need a certificate (and key) to be able to > connect to a SSL server.
Provided the server DOES NOT enforce client certificates (as the German tax office server does). Most servers don't. It is on your side how you set up the server. And if you want client certificates do that with your own CA, but do never ever send keys over the internet. The client has to generate his private key locally and use that to sign a certificate request. The certificate request can be sent to the CA that will create the client certificate and send it to the client. See OverbyteIcsX509Utils.pas for a simple Delphi function to generate a key and a certificate request. BTW: When you order a commercial certificate the key and certificate request are either created by an ActiveX or Java browser plugin. -- Arno Garrels > >> >> I hope it is clear this time.. >> >> Thanks >> >> -----Original Message----- >> From: Arno Garrels >> Sent: Wednesday, June 15, 2011 1:55 PM >> To: ICS support mailing >> Subject: Re: [twsocket] SSL server and CLient cert. >> >> daniel cc wrote: >>> Thanks again, >>> can you please clear a bit up, >>> I understand the server certification but, >> >> Do you realy? >> >>> where do I get the client key which is that PEM file? >> >> Do you need/want client certificates? If so, the server >> will have to verify client certificates during the SSL handshake >> process. >> >>> Is it delivered with the certificate or should I buy that >>> separately? >> >> When you order a SSL certificate a matching key is created, >> you always get a key along with your certificate otherwise a >> certificate was useless. >> >> Usually you buy a SSL server certificate. Its common name field is >> the DNS name of the server. i.e. to smtp.gmail.com or >> www.microsoft.com. >> >> If clients may connect from dynamic IP addresses a certificate >> can neither be issued to an IP nor to a DNS name, hence rather >> useless. In such case a good password is as secure as a client >> certificate that i.e. has some ID in it's common name field. >> And if both clients and server are under your control it is >> not required to buy a certificate, just create your own CA >> and certificates (server and client if you like). >> >> -- >> Arno Garrels >> >> -- >> To unsubscribe or change your settings for TWSocket mailing list >> please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket >> Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
