thanks for the response. I just need the certificate to securely identify that a request is coming from who I think it is coming. My goal is that I can indistinctively use http or https while testing. I just want to set up my application server, Tomcat, so that requests can be received using https. I know that I have to upload the public certificate into the other party (to whom I am talking to).
I do not expect to modify the application code because of https. Am I right? Regarding just using the certificate in the fashion mentioned above, will I need to include some license in some file or product brochure? The only case where I see mentioning the certificate authority would be in a System Diagnostics option, where we display the environment variables, so maybe we would want to display some info about who issued the certificate, when using one. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of David Schwartz Sent: Wednesday, February 25, 2009 10:19 AM To: [email protected] Subject: RE: License for Certificate? > Hello, > I am currently developing an interface to a 3rd party product that requires > HTTPS support using an X.509 certificate. > I have been given instructions on how to generate the certificate using openssl. > While in development mode (this is a commercial product), do I need > to include some license file or text? Include in what? > So, I would like to know if I have to include a license file or text for > using the openssl certificate in these two cases basically > (development/testing and production). Again, include in what? > Gisella Saavedra I'm having a hard time understanding your question. All you tell us about what you're doing is that it "requires HTTPS support using an X.509 certificate". If it requires a certificate, then you need one to use it. That's what "requires" means. My guess is that your question is about what certificate you should supply to the 3rd party product and where it should come from. There is no way to answer that question without knowing for what purpose the 3rd party product requires the certificate and what you're trying to do. Is it for client validation? Is it for server validation? What *exactly* does it need to validate? (For example, when I connect to amazon.com with a secure browser, what I need to validate and what amazon.com needs to validate are completely different.) If it uses it, for example, to securely identify the client, then you will need to set up a scheme in which the client has a certificate suitable for use for such secure identification. Depending on exactly what your question really is, it may get into deep issues about your security framework and threat models. Or it may be as simple as "generate a self-signed certificate each time" or "go to a CA and get a certificate". It depends on what the certificate is doing in the security framework. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
