WebApp Sec mailing list archives

RE: Open Source Certificate authority

From: "Dave Ockwell-Jenner" <doj () solar-nexus com>
Date: Tue, 23 Sep 2003 13:58:58 -0400

The reason that you don't get a warning when you use the VeriSign
certificates is that most browsers have a list of preset certificate
authorities (CAs).  When the SSL transaction is being negotiated, the
browser will validate the server certificate it receives.  If the
certificate was issued by one of the browser's known CAs then the
connection is made.  If the CA is not found for the server certificate,
you'll get some form of warning (which you don't want!)

With OpenSSL, you could create your own CA certificate (a self-signed
root certificate) and install it into your browser.  This will add your
CA to the list of known CAs the browser already has (like VeriSign,
Thawte, etc.)  You can then use your root CA to sign your own server
certificates.

This is a little involved, but it works.
--
Dave Ockwell-Jenner
Solar Nexus Solutions
http://www.solar-nexus.com/


-----Original Message-----
From: Jared Ingersoll [mailto:jared () cswv com] 
Sent: September 23, 2003 12:11 PM
To: 'sectools () securityfocus com'; 'webappsec () securityfocus com'
Subject: RE: Open Source Certificate authority


Thanks for all of the useful info. Let me narrow my request one step
more so I don't spend any time installing and configuring something that
does not work.  The point of using an alternate Certificate Authority is
to mimic the exact communication between the client and server. Our
application has an interface to it that 3rd parties develop their own
tools to utilize. These tools are not browsers. Anything like a
certificate warning for the certificate authority, mismatch domain name
or (expiration) will cause the exchange of information to fail (or error
out). The automated tools we use in testing behave the same. So to
clarify:

1. Is there an app that anyone is familiar with that will duplicate
Verisign's Certificate Authority in a way that would eliminate any type
of warning. (It seems like apache and openssl are out). 2. Does
freshmeats.com's CAtool, MS Cert Authority, or any other software supply
certificates that would not present any warning message?

Thanks again!

Jared

Current thread:

Open Source Certificate authority Jared Ingersoll (Sep 23)
- Re: Open Source Certificate authority Don Fike (Sep 23)
- Re: Open Source Certificate authority Keith W. McCammon (Sep 23)
- <Possible follow-ups>
- RE: Open Source Certificate authority Tenorio, Leandro (Sep 23)
- RE: Open Source Certificate authority Jared Ingersoll (Sep 23)
  - Re: Open Source Certificate authority Alex Russell (Sep 23)
    - Re: Open Source Certificate authority George W. Capehart (Sep 24)
  - Re: Open Source Certificate authority Chackan Lai (Sep 23)
  - Re: Open Source Certificate authority Keith W. McCammon (Sep 24)
  - RE: Open Source Certificate authority Dave Ockwell-Jenner (Sep 24)
  - Re: Open Source Certificate authority Dorian Moore (Sep 24)
  - RE: Open Source Certificate authority TUER, DON (Sep 24)
- RE: Open Source Certificate authority Lapinski, Michael (Research) (Sep 23)
- RE: Open Source Certificate authority Tenorio, Leandro (Sep 23)
- RE: Open Source Certificate authority Chip Kelly (Sep 24)
- RE: Open Source Certificate authority Lapinski, Michael (Research) (Sep 24)
- RE: Open Source Certificate authority Jared Ingersoll (Sep 24)
- RE: Open Source Certificate authority Law, Gary, (FNB) (Sep 24)
- RE: Open Source Certificate authority Jared Ingersoll (Sep 24)
  - Re: Open Source Certificate authority George W. Capehart (Sep 24)