Please help me to understand more about "SELF SIGNED CERTIFICATES".
Do Self-Signed certificates have to signed at all by its own CA ?? Do we have
to generate CSR for each client ?? If they do, What is the best way to create
"Self-Signed Cert" ?? Either
1. Each client is its own CA
a. // generate keys and CSR
openssl req -newkey rsa:1024 -sha1 -keyout clientkey.pem -out
clientreq.pem
b. // generate cert signed by its own CA
openssl x509 -req -in clientreq.pem -sha1 -signkey clientkey.pem -out
clientcert.pem
2. Create one root CA, every client create its own Certificate signed by root
CA
//create root
a. openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem
b. openssl x509 -req -in rootreq.pem -sha1 -signkey rootkey.pem -out
rootcert.pem
c. cat rootcert.pem rootkey.pem > root.pem
// create client certificate , signed by common root
d. openssl req -newkey rsa:1024 -sha1 -keyout clientkey.pem -out
clientreq.pem
f. openssl x509 -req -in clientreq.pem -sha1 -CA root.pem -CAkey root.pem
-signkey -out client.pem
Please help.
Thao
-----Original Message-----
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Lloyd
Sent: Monday, June 04, 2012 6:24 AM
To: openssl-users@openssl.org
Subject: Re: authenticate peer
Thanks again...
In my case I am using "SELF SIGNED CERTIFICATES", totally eliminating
CA. So, is it possible to check both sides without a CA?
Thanks for your help....
Lloyd
On Mon, Jun 4, 2012 at 3:45 PM, Alexander Komyagin <komya...@altell.ru> wrote:
> If you need checks on both sides, both client and server shall have
> loaded their own certificates (private/public keys) and some CA
> certificate(s) to be verified against.
>
> SSL_CTX_load_verify_locations() loads locations where CA certs are
> stored.
>
> Take a look at
> http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html
>
> On Mon, 2012-06-04 at 15:14 +0530, Lloyd wrote:
>> Thanks Alexander Komyagin,
>>
>> So it means in mutual authentication mode also, each client and server
>> need only to load its only private key and public key. During SSL
>> handshake the SSL protocol will share the public keys of each other?
>>
>> Then whats the use of "SSL_CTX_load_verify_locations()" API?
>>
>> In my case the client need to authenticate server and also the server
>> need to authenticate client.
>>
>> Thanks again,
>> Lloyd
>>
>>
>> On Mon, Jun 4, 2012 at 2:57 PM, Alexander Komyagin <komya...@altell.ru>
>> wrote:
>> >
>> > Hi, Lloyd!
>> >
>> > If you are establishing SSL connection between client and server, and
>> > SSL_VERIFY_PEER flag is set, AFAIK server will ask for client
>> > certificate during SSL handshake phase.
>> >
>> > So why do you need to load clients certs manually?
>> >
>> > On Mon, 2012-06-04 at 11:06 +0530, Lloyd wrote:
>> > > Hi,
>> > >
>> > > We have a client server application with SSL (open ssl). The server
>> > > has a public/private key pair and also "each client" has a
>> > > public/private key pair. When client and server communicates they need
>> > > to authenticate each other. So we are using the flags SSL_VERIFY_PEER|
>> > > SSL_VERIFY_FAIL_IF_NO_PEER_CERT at both the client and server. All the
>> > > certificates are self signed.
>> > >
>> > > Each client is unique, that is each of them has its own private/public
>> > > key pair. In order to verify each client, the server needs to load all
>> > > the clients certificates (isn't certificate mean public key in this
>> > > context?),. Is it possible to load all client certificate? which
>> > > openSSL api shoud I use ffor this?
>> > >
>> > > Thanks a lot,
>> > >
>> > > Lloyd
>> > >
>> > >
>> >
>> > --
>> > Best wishes,
>> > Alexander Komyagin
>> >
>> ______________________________________________________________________
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing List openssl-users@openssl.org
>> Automated List Manager majord...@openssl.org
>
> --
> Best wishes,
> Alexander Komyagin
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
smime.p7s
Description: S/MIME cryptographic signature
