Re: Chaining x.509 certificates

From: jacost (jacostr_at_z.pl)
Date: 04/28/05

Next message: RossiKwan_at_gmail.com: "except ettercap?"

Previous message: leslie: "Re: Formatted my drive, still spyware/virus, how is it possible?"
In reply to: wdtj_at_yahoo.com: "Chaining x.509 certificates"
Next in thread: Wayne Johnson: "Re: Chaining x.509 certificates"
Reply: Wayne Johnson: "Re: Chaining x.509 certificates"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 28 Apr 2005 10:18:56 +0200

wdtj@yahoo.com napisał(a):
> [...]
> It looks like, with https, our customer will need their own x.509
> certificate. They can, of course generate their own self-signed
> certificate, or get one from Verisign, et al.

If your user group is small, you can generate your own self-signed root
certificate (and key), and then generate certificates for your customers
using tools like OpenSSL (see the thread "Certificate Management Tools",
originated by TC on April 27, 18:35). You have to load your root
certificate into your customer's trusted certificate repositories to
avoid browser warnings.

> I'm wondering if there is a third option. For us to create a
> sub-certificate off of our current one.

A certificate contains extensions describing its allowed uses. The
certificate you got from Verisign probably doesn't allow
subcertification or issuing CRLs. So the software validating certificate
chain _should_ at least issue warnings on this.

> After digging through keytool and a whole pile of stuff on Google for a
> day (and barely scratching the surface), I still have not figured out
> the magical step of chaining a x.509 certificate. Keytool refers to
> importing a chained certificate from the CA, but nothing about how the
> CA creates it.

An answer by Ann & Lynn Wheeler to the post mentioned above lists many
references on this subject.

Next message: RossiKwan_at_gmail.com: "except ettercap?"

Previous message: leslie: "Re: Formatted my drive, still spyware/virus, how is it possible?"
In reply to: wdtj_at_yahoo.com: "Chaining x.509 certificates"
Next in thread: Wayne Johnson: "Re: Chaining x.509 certificates"
Reply: Wayne Johnson: "Re: Chaining x.509 certificates"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: harddrive DoD datawipe certificate
... customer require harddrive DoD datawipe as option. ... we'd like to provide some sort of certificate ... For string certificates you would need a tamper-proof disk wipe ... And a reliable way to tie the certificate to the disk. ...
(comp.sys.ibm.pc.hardware.storage)
Re: harddrive DoD datawipe certificate
... customer require harddrive DoD datawipe as option. ... we'd like to provide some sort of certificate ... Let me know if anyone know any sort of software or hardware system ...
(comp.sys.ibm.pc.hardware.storage)
Re: WS Security issues
... I can't generate the certificates when I install my product? ... > Yes you do have to redistribute the x509 if you choose to use it. ... >> But dont I then have to redistribute a new X509 certificate per customer? ...
(microsoft.public.dotnet.framework.webservices.enhancements)
Re: IE 5.0, 5.5 6.0 https SSL certificate attack - Serious
... Certificate is from trusted CA, Certificate date is valid and the name on ... CRL is not the browser's task; if it enabled in future, ... By keep waiting the customer at the browser, ... you are not the intended recipient, or an agent of the intended recipient or ...
(Focus-Microsoft)
Re: Code Signing Question?
... Recently one of our customers called and complained about the Security Warning dialog that is coming up on their system. ... What happens when the certificate expires and I have to renew it, does it mean that I have to send out a new certificate file to every single customer? ... When the cert expires, you won't be able to sign your .exe's with it anymore. ...
(microsoft.public.vc.mfc)