[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems with SSL certification on openldap 2.1.3



fre, 2002-08-16 kl. 20:59 skrev Eduardo Fernandes Piva:

> TLS_CACERT /usr/share/ssl/certs/ca.cert
 
> Is there any way to use SSL without my clients needing to do that? It's a 
> private network and I'm using self-signed certificates.

The whole point about a CA certificate is that it MUST be available to
the clients. Otherwise, what warranty does the client have that the
server is who it says it is? That's what the certificate is for. It is
from one who guarantees that the "bearer" is bonafide, like a passport
or a driver's license.

The only certificate that the clients MUST not see, is the server's
private key, since that's the basis for the server's encryption and
message digests.

Openssl, as well as browsers such as Netscape, Mozilla, and MS Explorer,
are delivered with a list of certificates from known Certificate
Authorities. You yourself can view the browser certs in the browser
itself. But you can't find your own self-signed CA certificate there,
unless you import it first (which you have the choice of doing). If you
import it, you're saying as much as "I trust the issuer".

You can't view the CA certificates in Openssl, since they're hard coded
in - but if you compile your own Openssl, you'll see, near the end of
the compile, a list of the built-in certs it has.

A good info site used to be the South African Thawte, but since it's
been taken over by Verisign, it's turned into a kind of street booth.
You could try www.rsasecurity.com - and read the PKI FAQ. You'll need
that anyway, if you're serious about encryption :-)

Best,

Tony


-- 

Tony Earnshaw

The usefulness of RTFM is vastly overrated.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
3BE7B981