Re: Does a root CA need two certificates?
* R. Markham wrote: I don't understand why is a root CA which everybody can download from the internet is more secure than if I use my own CA. I want to make it clear I am not against using Certificates from an official CA. But in some cases you can save your money as a expenses for the certificate if you use your self signed certificate. If you want that only authenticated user can have access, than you can use SSLVerifyClient in Apache. I made the same mistake as this. Assuming that an authenticated client is authorised. This gave me a headache since I couldn't work out why it's secure since anyone could obtain a signed client certificate from a root CA and if that root CA is in the list of CA's on my webserver they can get access. However now I understand it. The root CA doesn't grant a certificate saying this person is allowed access to your website but this person is WHO THEY SAY THEY ARE. This means it's still up to you to decide what they should be allowed to access (their authorization). You've just used a different way of identifying them.. a certificate instead of a username password. SSLCheckClientDN and SSLFakeBasicAuth allow for authenticated access in Apache NOT SSLVerifyClient. SSLVerifyClient just makes sure they have a valid client certificate. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL (or alike) over UDP
* Ben Laurie wrote: Peter 'Luna' Runestig wrote: On Fri, 14 Jan 2005 21:10 pm, Eduardo PĂ©rez wrote: Do you know if it's possible to use SSL (or some other protocol) over UDP running totally in user space. The OpenVPN project http://openvpn.net/ runs OpenSSL over UDP, works great. No, it doesn't. It uses SSL do bootstrap UDP connections. It says in the book Web Security Commerce by Simson Garfinkel, Gene Spafford that SSL cannot use UDP. I read that bit just the other day :-) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Using OpenSSL on unix to manage certs for Windows boxes (CSR's and PKCS12)
* Bernhard Froehlich wrote: Shaun Lipscombe wrote: [...] One last question... it's to do with client certificates. If I have two websites, say, and they both require client certificates signed by the CA ABC. Ltd there is nothing stopping a client certificate being used for authorization to access both sites even though those two sites may not be aware of each other. Is it up to the webserver to go through the certificate, once its been shown as being valid, and seeing whether access should be granted or is there something I've missed. I created two sites that have a CA in common in its acceptable CA list and I can now access both sites with the same certificate. What can I do to avoid such a circumstance? You should not mix up the fact The user has a valid certificate and The user has access to something. Yes this is what I did. Thanks to you and Bernhard Froehlich I have now got it all clear in my brain :-) Shaun __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Using OpenSSL on unix to manage certs for Windows boxes (CSR's and PKCS12)
I have used openssl to setup a CA to sign site certificates and client certificates. All is working just great , however I have a couple of questions to ask so that I dont go insane. Why is it that a Microsoft box requires SSL certificates be imported from a PCKS12 file when all other operating systems and software are OK with a PEM certificate? PCKS12 contains the private key of the key pair along side the certificate and this is simply not necessary unless you actually NEED the primary key.. for example the box on which you are installing the .pfx (p12) file didn't generate the Private Key but it is required to sign code/email using the private key, using the signed certificate for encryption. The primary key, I thought, should ideally have ONE home and not be moved about even if this PCKS12 is SUPPOSEDLY secure. (people choose crappy passphrases so I'm sure brute forcing it wouldn't take long with today's computers). Another question I have is I have seen documentation on the net showing CSR's being generated that catenate the private key and PEM encoded certificate request prior to be sent for signing by the CA. This again seems *strange*. Why is this done? I can give you a URL where this is done , but I've seen the combining of the key and request in *many* net resources and it seems *strange* to me that anyone would want to send their private key across the insecure website along with the CSR to be signed! Here is an example of a site showing this: http://sandbox.rulemaker.net/ngps/m2/howto.ca.html. I have also seen the primary key added to a certificate AFTER its been returned , signed, from the CA but I guess this could just be for exporting onto a system for which the request was made on the behalf of. Sorry for the badly worded sentence! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Using OpenSSL on unix to manage certs for Windows boxes (CSR's and PKCS12)
* Dr. Stephen Henson wrote: On Thu, Jan 13, 2005, Shaun Lipscombe wrote: Why is it that a Microsoft box requires SSL certificates be imported from a PCKS12 file when all other operating systems and software are OK with a PEM certificate? It doesn't. You can do that of course but the preferred technique is the same as every other environment: create a private key on the microsoft box, sign a request with it, send request to the CA and install the resulting certificate. Ok. That makes far more sense since the private key doesn't have to be created on one box and transferred to the m$ box i.e. its more secure. I didn't want to use the Certification stuff that comes with Windows 2000 Server coz it's a tad expensive and openssl works a charm. For MSIE you can use Xenroll for that. Not heard of that but will take a looksie. Another question I have is I have seen documentation on the net showing CSR's being generated that catenate the private key and PEM encoded certificate request prior to be sent for signing by the CA. This again seems *strange*. Why is this done? Probably for the same reasons some sites suggest that a CA certificate is installed by creating a PKCS#12 file including the CA private key: sheer ignorance :-( I've not heard of that but installing root certificates along with its primary key completely underpins the whole concept of a chain of trust. Glad to hear that its ignorance and me not understanding something :-) I'll delete that site from my bookmarks :-) One last question... it's to do with client certificates. If I have two websites, say, and they both require client certificates signed by the CA ABC. Ltd there is nothing stopping a client certificate being used for authorization to access both sites even though those two sites may not be aware of each other. Is it up to the webserver to go through the certificate, once its been shown as being valid, and seeing whether access should be granted or is there something I've missed. I created two sites that have a CA in common in its acceptable CA list and I can now access both sites with the same certificate. What can I do to avoid such a circumstance? Shaun __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
