Installing X509 client certificates for SSL?
From: colm (colum@mail.com)Date: 01/29/02
- Next message: Roger Marquis: "Re: Microsoft finally acknowledges the security drumbeats"
- Previous message: Dj: "Realtime XP Firewall log analyzer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: colum@mail.com (colm) Date: 29 Jan 2002 10:56:05 -0800
Hello all,
I'm looking at setting up some PKI stuff at my place of work and have
run into some difficulties putting a few demo sites into place.
I have managed to set up my SSL-enabled Apache and generated
self-signed server certificates - so far so good. Server
authentication is working fine. However, I am completely stumped about
how to import client certificates into either IE or NS. Heres a couple
of questions:
- I attempted generating an X509 certificate (using openssl), signing
it with my own CA, converting it to DER format and then importing it
to IE. IE imports it happily but then doesn't display it as one of my
Personal Certficates (despite my 'forcing' the Personal store option).
At first I was stuck on this but then I thought - surely the browser
has to play some part in generating its own certificate since it has
to keep track of the private key. This is based on my limited
understanding of certificates i.e. a certificate is basically a
wrapper for a public key along with some X500 data (DN record
entries). Is this roughly the case? If I generate a key using openssl
and then produce a signed certificate, how does my browser know the
private key?
- I have found some scattered docs that suggest that NS can only
receive a certficate by http with an apprpopriate MIME type set for
the PEM format file. Is this also true? Also, NS used to support a
custom tag that caused it to generate a local private key and issue a
CSR to the CA (sorry about all the TLA's ;-) Again, can anyone clarify
this?
Any other hints/tips gratefully accepted. As a sidenote, in all my
years developing for the web I have never found a technology for which
it is so difficult to track down clear, concise docs and examples.
Everyone seems to be out to sell you something... For the record, I
have used and would recommend the following sites but still find them
a little thin on the client-certification side:
http://www.modssl.org/ - the modSSL docs are invaluable
http://docs.iplanet.com/docs/manuals/security/pkin/contents.htm - very
good intro to PKC and some docs that used to be at Netscape -
nowadays, all Netscape's docs on the matter dump you onto Verisign's
site where they try to flog you their 'services'. I would rather use
open source stuff for this if possible.
http://www.rsasecurity.com/ - much broader but good intro stuff for
crypto-related things.
http://ospkibook.sourceforge.net/ - the open source PKI book project -
maybe a little out-of-date.
Other than the four above I can't find any sites with much original
content. Anyway, I'd be very grateful for any comments or pointers,
Cheers,
colm
- Next message: Roger Marquis: "Re: Microsoft finally acknowledges the security drumbeats"
- Previous message: Dj: "Realtime XP Firewall log analyzer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
