On Mon, Dec 29, 2008 at 12:55:14AM -0500, Edward Diener wrote:
> My assumptions from what I could glean from the certificates distributed
> is that the CA-cert.pem is the same for client and server, while the
> server-cert.pem is a public key corresponding to the private
> client-key.pem, and the server-key is a private key corresponding to the
> public client-cert. When I say "corresponding I mean that they form a
> public-private key pair.
No it is simpler than that:
For each (one or a few) server:
- a server-cert.pem corresponds to a server-key.pem
- in some deployments all servers share the same server cert and key
- best practice is to generate the server keys on the server, and
then obtain a CA cert for the public key (certificate request).
For each (often many) clients:
- a client-cert.pem corresponds to a client-key.pem
- each and every client key and corresponding certificate pair
are distinct from all other such pairs.
- best practice is to generate the client keys on each client, and
then obtain a CA cert for the public key (certificate request),
you need to bootstrap secure (authenticated) delivery of the client
CSR from the client to signing CA. The CA need not be a public
CA, there is often little value in using a public CA in this
context.
- Client certificates are OPTIONAL. You can just encrypt the
connection to the server and login with username/password.
In fact from all the noise in this thread, it seems that simplicity is a
major win whenever complexity is confusing, so dispense with the client
certs entirely and go with username/password. TLS will just encrypt
the login session and authenticate the server.
> If this is true then my client has a private key in its client-key.pem
> certificate.
The premise is badly mangled, so it is difficult to comment on the
conclusion.
Your confusion is not OpenSSL confusion, it is basic lack of experience
with public/private key security protocols and the roles the various
keys play.
Neither OpenSSL users, nor GnuTLS users, nor Microsoft CryptoAPI users, ...
are specifically the right people to burden with your question.
This is a general question about communication's security and requires
independent research via books or a general security help forum.
Good luck.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
