Re: Chaining x.509 certificates

From: Edward A. Feustel (efeustel_at_direcway.com)
Date: 04/28/05

  • Next message: vandananoSpam_at_nortel.com: "Key pair & Certificate lifetimes" 
    Date: Thu, 28 Apr 2005 07:29:11 -0400

    <wdtj@yahoo.com> wrote in message
    news:1114638501.502505.19450@f14g2000cwb.googlegroups.com...
    > I'm fairly new to x.509 certificates, etc. Please forgive a novice
    > question...
    >
    > I work for a software development organization. We've used a Verisign
    > x.509 certificate (via keytool and jarsigner) to sign our jars before
    > they get shipped to customers for a few years. Now we're going to be
    > shipping a new product enhancement that uses https for security.
    >
    > It looks like, with https, our customer will need their own x.509
    > certificate. They can, of course generate their own self-signed
    > certificate, or get one from Verisign, et al.
    >
    > I'm wondering if there is a third option. For us to create a
    > sub-certificate off of our current one.
    >
    > After digging through keytool and a whole pile of stuff on Google for a
    > day (and barely scratching the surface), I still have not figured out
    > the magical step of chaining a x.509 certificate. Keytool refers to
    > importing a chained certificate from the CA, but nothing about how the
    > CA creates it.
    >
    > I suppose, if it were easy, Verisign would quickly go out of business
    > :{)>
    >
    > Any suggestions or references would be greatly appreciated.
    >
    >
    The real question is whether your https protocol requires mutual
    authentication.
    That is, do you require that each client identify themselves with a
    public/private key challenge.
    If not, you only need a certificate for your servers. They need to identify
    themselves to the
    client, but not the other way around.

    A chained certificate is when one CA certifies another one as a CA and not a
    user. It has
    some extra bits turned on in the certificate if this is so. Verisign
    typically only signs CA certificates
    for themselves and for users. You cannot "properly" sign a CA certificate
    with a user's certificate
    (as far as the certificate validation software is concerned).

    Ed

    ----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==----
    http://www.newsfeeds.com The #1 Newsgroup Service in the World! >100,000 Newsgroups
    ---= East/West-Coast Server Farms - Total Privacy via Encryption =---

  • Next message: vandananoSpam_at_nortel.com: "Key pair & Certificate lifetimes"

    Relevant Pages

    • Re: RSA vs AES
      ... > Verisign, MS took the extra burden of issuing a critical patch to ... > those stolen root CAs. ... if any of these other keys ever got compromised ... ... BBN Certificate Services ...
      (sci.crypt)
    • Re: Your digital ID name cannot be found by the underlying security system
      ... This morning I received email from VeriSign indicating that apparently I ... Although I do not have a private key recovery feature, ... replaced the certificate 3 times already and still it will not work. ...
      (microsoft.public.outlook)
    • Re: [Full-Disclosure] PGP vs. certificate from Verisign
      ... What I wonder - will Verisign have set up CRL servers yet? ... PGP vs. certificate from Verisign ...
      (Full-Disclosure)
    • Re: what certificate to buy from Verisign ?
      ... > Server certificate is used by server service, ... For client side, there has Client Authentication Certificate ... > like Verisign will have much more types of certificates available, ...
      (microsoft.public.dotnet.framework.webservices.enhancements)
    • Re: what certificate to buy from Verisign ?
      ... \par Microsoft Online Support ... \par Subject: Re: what certificate to buy from Verisign? ... \par> secure communication channel between client/server, ...
      (microsoft.public.dotnet.framework.webservices.enhancements)