Dear Torsten, concatenating some certificates into a single file would not automagically make every client and server follow the rules. To enforce it, one can check something while doing SSL handshake or immediately after the handshake before sending application data.
Servers could get client name and unit from client certificate sent while SSL handshake. The first step would be verifying client certificate is properly signed, the second to match organisation unit name. If it doesnt match one could either fail to handshake or maybe send warning html page to the client explaining it should use the right serber. Clients could check server cert is properly signed as well as server name and organisation unit match. hope this helps, Vadim On Fri, Jul 25, 2003 at 03:36:08PM +0200, T. Valent wrote: > Hi! > > I probably have a very basic question, but I need to describe my problem > in detail to make sure everybody understands what I'm seeking for, > because I may not possibly use the correct terminology. I want to have > this kind of organizational structure (OU = Organizational Unit): > > Root-CA > | > +---OU1 > | +----OU1-Server-1-Key > | | > | +----OU1-Server-2-Key > | | > | +----OU1-Client-1-Key > | | > | +----OU1-Client-2-Key > | | > | +----OU1-Client-3-Key > | > +---OU2 > +---- ... (and so on) > > For my project I would have some dozends OUs. In this project clients > connect to servers (not http, no DNS) and transfer data over that > connection to a custom application. > > Now I want the Servers (OU1-Server-n) to check the client's certificate > when a client connects to a server. Any client who is member of the same > OU should be able to connect the any of the servers of the same OU, but > not to a server of a different OU. And the clients should check that the > certificate of server-n is a valid certificate, signed by OU1's key > (or/and our root-key?). It should also be allowed that Server-1 will > connect to Server-2 (for synchronization purposes). > > I tried to achieve this the following way: > Create root key > Create root certificate > Create OU1 key > Create OU1 certificate > Sign ou1's certificate with our root key. > Create OU1-Server-1-key > Create OU1-Server-1-certificate > Sign OU1-Server-1-certificate with OU1's key. > Do the last three steps for each OU1-Client-[1-n]-key > > If I have made any obvious mistakes (maybe in concept), please let me > know. > > I have quite a couple of files now. The main question is, which files > are now needed on the clients and which on the servers and how to > generate them from the files I have? > > [Should I just copy the server's certificate into a certificate-file > which then contains the root-cert as well as the cert of OU1 and the > certs of all OU1's servers into one file and have that file on the > clients? And the same with the servers (all client-certs, OU1's certs as > well as the root-cert)? What's confusing me is that I've seen so many > files where certificates and keys are mixed up in one file. What's also > confusing me is that I've seen cert files with not only ASCII coded > binary code in it, but also with readable strings like "Issuer = ..." > mixed up. Which format can be used for certificates?] > > -- > Regards, > Torsten > > (0> > //\ > V_/_ > > Tolerance rocks! > > --------------------------------------------------------------------- > > # head PCA/private/PCAkey.pem > -----BEGIN RSA PRIVATE KEY----- > Proc-Type: 4,ENCRYPTED > DEK-Info: DES-EDE3-CBC,abcdefghijklmnopq > > 1234567890abcdefghijklmnopqrstuvwxyz[modified...] > > # head PCA/private/PCAcert.pem > -----BEGIN CERTIFICATE----- > MIIIEDCCBfigAwIBAgIBADANBgkqhkiG9w0BAQQFADCBqTELMAkGA1UEBhMCREUx > > # grep '^---' /Server/server.pem > -----BEGIN CERTIFICATE----- > -----END CERTIFICATE----- > -----BEGIN RSA PRIVATE KEY----- > -----END RSA PRIVATE KEY----- > -----BEGIN X509 CERTIFICATE----- > -----END X509 CERTIFICATE----- > -----BEGIN CERTIFICATE----- > -----END CERTIFICATE----- [and so on, about 50 lines] > > # grep '^---' /Server/client.pem > -----BEGIN CERTIFICATE----- > -----END CERTIFICATE----- > -----BEGIN RSA PRIVATE KEY----- > -----END RSA PRIVATE KEY----- > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
