Need pointers on managing client certs...

• Previous message: Security Alert: "SSRT5962 rev.0 - HP OpenView Radia Management Applications - Radia Notify Daemon Remote Unauthorized Access to Data and Denial of Service (DoS)"
• Next in thread: Colin McKinnon: "Re: Need pointers on managing client certs..."
• Reply: Colin McKinnon: "Re: Need pointers on managing client certs..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 3 Jun 2005 15:32:09 -0700

I'm not sure this is quite the right group, but perhaps someone will
tell me what is, if it's not...

I'm in the process of converting an application that currently uses
dialup to handle secure transactions to an internet https based
protocol. I have no control over the server side, just the client
which is a Unix box. I've been exploring openssl and curl, and trying
to figure out what is necessary in managing the certificate on the
client side which appears to be subject to periodic expiration. I can
get things to work simply by just telling curl not to do certificate
verification (curl -k), but since there is in fact a certificate it
would seem prudent not to do that.

However, I've had some difficulty finding out just what the management
of the client certificate involves. The client machine is a unix box
running data entry users on our applications. Ultimately, no one on
site with the machine will know anything about certificates or why you
would want or need them, so the box will be essentially, unattended.
And it is not practical to expect the users to contact us every year or
so to get their cert file manually updated.

So far, I've used IE on a PC to export the certificate from the site in
question, which contained a CRL link that does return some data that I
don't know what to do with. The "Authority Information Access" URL
does not show a "crt" file, but is an "ocsp" URL so I gather I can't
just use curl to get the URL and expect a useful certificate. I've
tried to explore ocsp and how you use that, but it's not at all obvious
if or how it applies to keeping a client certificate file up to date.
Openssl can create a text certificate that looks like what I need from
the IE exported DER (?) file, but it will expire in about six months,
so I need to figure out what needs to happen to automatically update
the client's cert file at that time. I also haven't been able to
figure out how to get curl to get the DER data directly for me (that IE
was obviously able to get) so that I don't have to use IE to do it.

I'm not even sure exactly what questions to ask at this point, I've
seen a dozen or so new buzzwords with which I'm completely unfamiliar,
x509, DER, CRT, CRL, OCSP, PEM, yada yada... But basically, I think I
can manually put together a cert file that will make curl happy, but
what do I do in six months when it expires? Whatever it is, I need the
system to do it unattended, as that is the kind of system it is.
Hopefully some combination of voodoo in curl and openssl can accomplish
that, but I need some direction where to look for an introductory
explanation of the process. Is there a newbie FAQ about this subject
somewhere?

TX in advance,

--
KD

• Previous message: Security Alert: "SSRT5962 rev.0 - HP OpenView Radia Management Applications - Radia Notify Daemon Remote Unauthorized Access to Data and Denial of Service (DoS)"
• Next in thread: Colin McKinnon: "Re: Need pointers on managing client certs..."
• Reply: Colin McKinnon: "Re: Need pointers on managing client certs..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]