Re: SSL Certificate Chaining

From: rjf (rjf_at_tripwire_dot_com@info.der-keiler.de)
Date: 09/13/02 

From: rjf <rjf_at_tripwire_dot_com>
Date: Fri, 13 Sep 2002 10:51:16 -0700

Henrick Hellström wrote:
> No, normally you purchase an "end-entity" certificate for your server.
> You *don't* have to issue any certificates for the clients of your
> system, because with SSL/TLS they normally don't need any.

I am not sure I have been clear. I am not deploying a single web site
where my customers will come to use our software. If that were the case,
then yes I would simply purchase an SSL cert from Verisign and that'd be
that.

Instead, I am shipping a software suite, which installs a web server
(tomcat) on a customer machine -- the customer will then connect to that
(their) server from many different clients on their network. Because
currently we install a self-signed cert when we install the server, when
they first connect from a given client machine they have to accept that
cert as valid via the "we can't guarentee anything" dialog that
typically appears via most browsers.

We'd rather install a certificate that has some implicit trust built in,
presumably due to association (through chaining?) with a Verisign
certificate.

We don't want the customer to have to deal with purchasing a certificate
to facilitate this. We want to programmtically create this certificate
at installation time.

Is that more clear (maybe it was all along)?
Thanks much,
Ron

Relevant Pages

  • Re: WS Security issues
    ... I can't generate the certificates when I install my product? ... > Yes you do have to redistribute the x509 if you choose to use it. ... >> But dont I then have to redistribute a new X509 certificate per customer? ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: RPC over HTTP
    ... certificate should also be installed on the clients. ... and then install the root CA certificate on intended clients too. ... if I institute RPC over HTTP and use a certificate that is ...
    (microsoft.public.exchange.admin)
  • Re: RPC over HTTP
    ... It can be used on any device that has a compatible client installed on it provided the certification authority certificate should also be installed on the clients. ... simplest way would be to download the entire CRL of the website certificate and then install the root CA certificate on intended clients too. ... Quesiton, if I institute RPC over HTTP and use a certificate that is create in IIS Manager from a Domain Controller, do all the laptops/PCs that will use RPC over HTTP need to be a member of the domain or can they just be clients in any workgroup...? ...
    (microsoft.public.exchange.admin)
  • Re: RPC over HTTP
    ... It can be used on any device that has a compatible client installed on it provided the certification authority certificate should also be installed on the clients. ... simplest way would be to download the entire CRL of the website certificate and then install the root CA certificate on intended clients too. ... Quesiton, if I institute RPC over HTTP and use a certificate that is create in IIS Manager from a Domain Controller, do all the laptops/PCs that will use RPC over HTTP need to be a member of the domain or can they just be clients in any workgroup...? ...
    (microsoft.public.exchange.admin)
  • Re: Require SSL certificate
    ... you should only need to give them the root certificate in the ... trust chain the issued your certificate and have all the clients install ...
    (microsoft.public.dotnet.framework.aspnet.security)