Re: Newbie question - Signing CSR's (picture enclosed)
Sometimes a picture is worth a thousand words: The "Standard Model" of Certificate generation: On the server machine: Generate CSR operation +-+ +-+ | Private Key | | Certificate Signing Request | +--+--+ | | v | ++| | | Public Key || | ++| | | |"Distinguished Name" | | | Note: hash is signed | ++| by private key above | |Hash|| | ++| +--+--+ | | Sent to CA for signing v +-+ CA can use public key | Certificate | from CSR to check | | signature on hash to| ++| prevent alteration of | | Public Key || CSR by adversary| ++| | | | "Issuer Distinguished Name" | | | | "Subject DistinguishedName" | | | Note: hash is signed| ++| by private key of root | |Hash|| | ++| +--+--+ | | Returned to server v In secure site operation: Server presents certificate to client Client uses public key of root (obtained from preconfigured root certificate) to check hash to ensure certificate has not been forged. Client rolls a random number and encrypts it with the public key from the server certificate, then returns it to the server. Server decrypts this with server private key and both sides use it as a symmetric key for conventional (e.g., DES) cryptography. Eavesdropper does not have access to private key so cannot decrypt. Man-in-the-middle attacker does not have access to private key so cannot decrypt. -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie question - Signing CSR's (picture enclosed)
So... if the CASr has been generated and the CSR has been sent to the CA (running openssl) whats the command (in openssl) to sign this CSR ?? anything on the lines of.. ./openssl -some parameters- request.CSR -some parameters- signedCSR.cer ?? Rohan - Original Message - From: "Charles B Cranston" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, August 19, 2003 12:50 PM Subject: Re: Newbie question - Signing CSR's (picture enclosed) > Sometimes a picture is worth a thousand words: > > The "Standard Model" of Certificate generation: > > On the server machine: Generate CSR operation > > >+-+ +-+ >| Private Key | | Certificate Signing Request | >+--+--+ | | > v | ++| > | | Public Key || > | ++| > | | > |"Distinguished Name" | > | | > Note: hash is signed | ++| > by private key above | |Hash|| > | ++| > +--+--+ > | > | Sent to CA for signing > v > +-+ > CA can use public key | Certificate | > from CSR to check | | > signature on hash to| ++| > prevent alteration of | | Public Key || > CSR by adversary| ++| > | | > | "Issuer Distinguished Name" | > | | > | "Subject DistinguishedName" | > | | > Note: hash is signed| ++| > by private key of root | |Hash|| > | ++| > +--+--+ > | > | Returned to server > v > > In secure site operation: > > Server presents certificate to client > > Client uses public key of root (obtained from preconfigured root > certificate) to check hash to ensure certificate has not been forged. > > Client rolls a random number and encrypts it with the public key from > the server certificate, then returns it to the server. > > Server decrypts this with server private key and both sides use it > as a symmetric key for conventional (e.g., DES) cryptography. > > Eavesdropper does not have access to private key so cannot decrypt. > Man-in-the-middle attacker does not have access to private key so > cannot decrypt. > > -- > Charles B (Ben) Cranston > mailto: [EMAIL PROTECTED] > http://www.wam.umd.edu/~zben > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie question - Signing CSR's (picture enclosed)
On Wed, Aug 20, 2003, Rohan Pinto wrote: > So... > > if the CASr has been generated > and the CSR has been sent to the CA (running openssl) > whats the command (in openssl) to sign this CSR ?? > anything on the lines of.. > > ./openssl -some parameters- request.CSR -some parameters- > signedCSR.cer ?? > As I mentioned in the other message you first have to create a root CA and its directory structure. The command: CA.pl -newca will do that (there are other ways but CA.pl is the easiest). Then when you have the CSR rename it to "newreq.pem" and do: CA.pl -sign and the certificate will be in newcert.pem Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
