In a client application communicating with a MySQL server, I am using SSL to encrypt/decrypt data sent to and from the database. This requires me to have the PEMs for the CA, client key, and client certificate distributed as part of the application. Of course these certificates will not work except with the corresponding server certificates on the MySQL server to which I am communicating.
My initial choice was to distribute the client certificates in the same directory as the application's modules, as they are easy to find at run-time there in order to make my SSL connection with the database. It has been suggested to me that this is inherently insecure. Nonetheless I must distribute them somewhere since the certificates have to exist in the file system when I make the call at run-time to create a SSL connection to the server. What are the best strategies to distribute these client certificates on the end-user's machine ? Should I be pre-encrypting these certificates, then decrypting them in memory before writing them to a temporary location, and then destroying the decrypted certificates from that temporary location after the connection is made, or is this overkill and a simpler/better way of distributing the client certificates as part of my application is possible ? Any suggestions, help, pointers would be much appreciated. Finally the client application runs on Windows and not LInux so if there are OS specific arguments as to how to distribute these client certificates you will know to what OS the application is targeted. Thanks ! ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
