Thanks a lot Marek.
Now it is very clear to me.
I spent lot of time to get this information but I couldnt find this(clients private key usage) in any of the document.
Can you please suggest me some good website/ books to learn how SSL works?
One more question:
Is CSR machine specific? If I generate the CSR in machine A and install the certificate in Machine B will it work? If not can you please tell me why it will not work?
What are the machne specific details goes into CSR?
Also the document says the while generating CSR the the Common Name [CN] should match my hostname which is www.dubaibank.ae. when the server presents its certificate to the client will the client verify the URL entered in browser with the URL that is there in the certificate?
Thanks again,
Babu
On 10/4/06, Marek Marcola <[EMAIL PROTECTED]> wrote:
Hello,
> Can anyone help me to identify the certificate requirement for the
> below scenario
>
> We are planning to implement ssl for our b2b product
>
> Server : Apache webserver
> Client : JAVA based Product(not browser)
>
> 1. Server should authenticate the client.
> 2. Client should authenticate the server.
> 3. Server should encrypt and decrypt the message
> 4. Client should encrypt and decrypt the message
>
>
> Now for Point 2 to 3 (server side certificate) my understanding is
> a. I should generate private key, csr and then get it signed from
> authorities like verisign.
> b. Place the private key and the certificate at the server side
> c. Place the certificate (publickey+certificate) and root certificate
> at client side
> The server will decrypt and encrypt the messages using the its private
> key, the client will authenticate the server and encrypt and decrypt
> the message using server's public key + certificate.
>
> Now If have to implement point 1 (server authenticating the client) do
> I have to get another certificate for the client?
> If I have separate certificate for the client I have to have private
> key also for the client. In that case how the encryption, decryption
> does happen?
>
>
> In my client's(JAVA based Product) if I have to enable the ssl for
> point 1 I have to specify the client certificate and the private
> key(It expects the client certificate and private key. In that case
> both client and server will have its own private key. I am little
> confused how encryption and decryption will happen if both client and
> server has its own private key?
>
> Can any one help me to clarify the above.
In SSL, server RSA private_key/server_certificate is used to securely
transport from client to server 48 bytes of random data called
pre_master_secret from which key for symmetrical encryption alghoritms
(DES, AES) and message digest functions (MD5, SHA1) are created.
This means that encryption/decryption of real application data
is performed by symmetrical encryption, not RSA.
For short:
- server sends server_certificate to client
- client checks server_certificate (with root CA)
- client encrypts random 48 bytes with server_certificate and sends
to server
- server decrypts this data with server private_key and gets 48 random
bytes from client
- both sides calculates keys for encryption, MAC verification
Server proofs having proper private key by generating proper symmetrical
keys (identical with clients).
Client_private_key/client_certificate is used only for client
authentication. If server is configured to request client authentication
then special packet is send from server to client requesting
client certificate (certificate_request), in response client sends to
server his certificate (in certificate packet) and special packet
called certificate_verify which has special data encrypted with
client private key. Server verifies client certificate (with root CA),
decrypts data from certificate_verify packet using client certificate,
calculates your own data, compares this and if this equals - client
is authenticated by server. Of course this proof only that client
has client_private_key/client_certificate.
>From now, client key/certificate is not used.
Best regards,
--
Marek Marcola < [EMAIL PROTECTED]>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
