Hi Hamlet, I don't know of any package but there is prolly one out there you should definately have a look. I have have done a bit of work with X.509 and java.
Once you get into it it's not that bad. Java kinda babysits your through most of the nastier SSL points (I haven't decided whether this is a good thing or a bad thing). The good news is that getting fulle client and server side authentication is pretty easy so it will work as a quick easy Soln but again that all depends on your needs. Also the java keytools package (well the default on that ships with JVM's) can be a pain in the backside to deal with at the start but once you get it all set up you will rarely have to deal with it (just as well has some really stupid bugs in it). As for deploying the certs you should just setup your CA and make the root cert Pbk available to everyone. They cann use this as their source of trust (in java either import is into the cacerts file ( you generally don't wanna do this but I guess it depends on your situation ) or you just make your own ). The clients that are going to be talking to your server can generate a cert for themselves and pass a csr to you to evaluate and once you have signed it you send it back. You will use the same caCert that you make available as your trust store. When the client connects you can just accepts the cert based on the fact that it is signed by you or you can also check the cert they are presenting and check it against a list of hosts known to the server (an easy check to give you a bit more breathing space with the CRL's but in the end this is not a good soln just a suggestion to get things up and running). The certs should be signed on a private machine that no-one can log into (someone gets the private key and you in for a world of pain revoking all your certs at once) all in all it's not the worst thing to write - again that depends how much time you have to spare. If you are going to do it yourself in java I recommend picking up the o'reilly java security book as that will definately speed up the process. If you are doing it in another language I can't really help you as I don't have enough experience with this kind of programming in other languages. lemmi know how it turns out and if you have any questions lemmie know. On Mon, 29 Oct 2001 [EMAIL PROTECTED] wrote: > > Ok Rory, more details,: > - I'm going to set up an internal CA. > - I want use X509 certificate based authentication to log on unix workstation > (I have AIX and Solaris). > - The certificate shall have to be used to authenticate user to local and remote >service. > (both Client and server authentication). > > And yes, I'd prefer to use package but I can write it if the package is too >expensive. > > Thanks > Hamlet > > > -----Original Message----- > From: "Rory" <[EMAIL PROTECTED]> > Sent: Saturday, October 27, 2001 1:48 AM > To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> > Cc: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> > Subject: Re: Certificate logon on Unix > > If you are just doing server side-authentication then all you need to do > is store the cert on the server and distribute the CA public key to all > the clients so they trust the cert that the server presents. The CA public > key can be stored in the users-directory and the worst thing that will > happen is that someone will change the CA in the user directory and the > clients will stop trusting the server playing with the permissions ont he > CA will prolly help mitigate the chanses of this happening. > > It all depends on what you are trying to achieve with these certs? > > do you need/want client side authentication or just make sure the clients > know who they are connecting to or does the server need to know who is > connecting to it? > > Are you looking for a package to do this or write it yourself? > > Are you going to make your own CA or pay for a recognised CA (If you > controlling both client and server I see no reason to get a recognised CA > but you will have to do more that way CRL's and the like.) > > > If you could give a bit more information about what you are trying to > achive that would help. > > On Fri, 26 Oct 2001 [EMAIL PROTECTED] wrote: > > > Hi, all > > I would like to use a x.509 certificate to log on unix workstation but it seems >there are no > > cots available for this. > > Do yo have any information about? > > Where do you think I have to store the certificate? a smart card or in the user >directory? > > > > thanks for any input > > > > hamlet > > _________________________________________________________________________ > > > > > > > > > > -- ----Rory
