Thank you very much for your response , David and Victor. I really appreciate it.
> > So could someone guide me with the best practices used in such scenarios? > > Is there a way to securely embed the private key in the installers / CA > > certificate? > > I guess I'm confused. What purpose would a certificate serve if anyone can > generate one that serves any purpose? > > If I can generate a certificate that says I'm the pope just by entering that > into your installer, then a certificate that says I'm the pope doesn't prove > I'm the pope. For now, my purpose is not to establish and identity of a server with the certificate. I plan to use a signed certificate, so that the client can be sure that the server indeed holds the private key associated with the public key provided by the server in its certificate. > So what's the point of the entire exercise?! For the requirement of certificate generation on the fly (during installation) following is the scenario: A] I have a client - server application that I would be shipping to different customers. The admin at every customer will install the client and server software on different machines. For the SSL to work, the client software would require a root CA cert, and the server software would require its certificate + key. (NOTE: Only the clients in a particular customer's network will be able to access the server in that particular customer's n/w.) B] I plan to provide the required root cert + server cert to the customer to kick start the applications in the customer environment. I have a CA established at my end. The root CA cert of this CA will be used to generate server certificates (NOTE: I will not be using a CA chain. There will be only one certificate issuing authority) C] Now from the point of view of 'ease of deployment', I would like to burn the same image of my server/client software on say 10 CDs and ship them to 10 customers. But, every customer will need to have a distinct server certificate for his server installation. ( Also, it is possible that a customer may wish to run two servers on two machines in the same network. So he will need two different server certificates.) So, if I have to provide the certificates to the customer as part of my product, I would have to generate 10 distinct certificate, and one certificate to one CD. So basically I will be writing 10 distinct CD images for 10 customers. Also, I would be generating the certificates for these customers based on the information that 'they' provide to me. So considering the points above, I thought of providing the certificate generation capability as part of my installation itself. This way, I will have to burn the same image on all the 10 CDs. Also, my customers will be saved from sending me the information required to generate a certificate for them. Instead, they themselves (The admin who installs the server) can provide this information as part of installation and the certificate will be generated behind the scenes. Victor, > Typically this means that the administrator has some way to authenticate > to a credential enrollment system (kadmind, X.509 cert enrollment > website, ...) and can interact with the system to generate the cert for > the newly built host I am sorry but I am not sure I followed what you said about Could you please explain this, may be with an example scenario / real life scenario? I will highly appreciate any comments / suggestions / help tackling this scenario. Thank you. ~ Urjit DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Pvt. Ltd. does not accept any liability for virus infected mails. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
