Re: Chaining x.509 certificates
From: Edward A. Feustel (efeustel_at_direcway.com)
Date: 04/28/05
- Previous message: Edward A. Feustel: "Re: Certificate Management Tools"
- In reply to: wdtj_at_yahoo.com: "Chaining x.509 certificates"
- Next in thread: Wayne Johnson: "Re: Chaining x.509 certificates"
- Reply: Wayne Johnson: "Re: Chaining x.509 certificates"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 28 Apr 2005 07:29:11 -0400
<wdtj@yahoo.com> wrote in message
news:1114638501.502505.19450@f14g2000cwb.googlegroups.com...
> I'm fairly new to x.509 certificates, etc. Please forgive a novice
> question...
>
> I work for a software development organization. We've used a Verisign
> x.509 certificate (via keytool and jarsigner) to sign our jars before
> they get shipped to customers for a few years. Now we're going to be
> shipping a new product enhancement that uses https for security.
>
> It looks like, with https, our customer will need their own x.509
> certificate. They can, of course generate their own self-signed
> certificate, or get one from Verisign, et al.
>
> I'm wondering if there is a third option. For us to create a
> sub-certificate off of our current one.
>
> After digging through keytool and a whole pile of stuff on Google for a
> day (and barely scratching the surface), I still have not figured out
> the magical step of chaining a x.509 certificate. Keytool refers to
> importing a chained certificate from the CA, but nothing about how the
> CA creates it.
>
> I suppose, if it were easy, Verisign would quickly go out of business
> :{)>
>
> Any suggestions or references would be greatly appreciated.
>
>
The real question is whether your https protocol requires mutual
authentication.
That is, do you require that each client identify themselves with a
public/private key challenge.
If not, you only need a certificate for your servers. They need to identify
themselves to the
client, but not the other way around.
A chained certificate is when one CA certifies another one as a CA and not a
user. It has
some extra bits turned on in the certificate if this is so. Verisign
typically only signs CA certificates
for themselves and for users. You cannot "properly" sign a CA certificate
with a user's certificate
(as far as the certificate validation software is concerned).
Ed
----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! >100,000 Newsgroups
---= East/West-Coast Server Farms - Total Privacy via Encryption =---
- Previous message: Edward A. Feustel: "Re: Certificate Management Tools"
- In reply to: wdtj_at_yahoo.com: "Chaining x.509 certificates"
- Next in thread: Wayne Johnson: "Re: Chaining x.509 certificates"
- Reply: Wayne Johnson: "Re: Chaining x.509 certificates"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
