WebApp Sec mailing list archives
Re: Open Source Certificate authority
From: Dorian Moore <lists () dorianmoore com>
Date: Tue, 23 Sep 2003 19:37:46 +0100
A little explanation: Only certificates which are signed by a registered Certification Authority will get past without a warning, this is because the certificates purpose is to authenticate that the person you are transmitting the details to is who they say they are, which is proven by a trusted third party, in this instance Verisign. The CA basically signs your SSL certificate saying it is valid and trust should come without a warning. In some[most?] browsers you can set up your own Certification Authority and get users to install your CA certificate, which means that any future certificates that you sign as authentic will not display a warning. This may be a solution, and you could do it using OpenSSL Otherwise you have to have an alternate trusted Certificate Authority which is already trusted by your browser manufacturer and hence is featured in their install. There are several other authorities other than Verisign you can use. I use Thawte [http://www.thawte.com] as they are cheaper. But you still have to pay I'm afraid. The point of the CA is to provide trust. If anyone could be a CA without warning then the CA would be useless as anyone could sign their own certificate, and you could create certificate's passing off to be other people. Hope this is of some help _d._ on 23/09/03 5:10 pm the person going by the name Jared Ingersoll at jared () cswv com spake :
Thanks for all of the useful info. Let me narrow my request one step more so I don't spend any time installing and configuring something that does not work. The point of using an alternate Certificate Authority is to mimic the exact communication between the client and server. Our application has an interface to it that 3rd parties develop their own tools to utilize. These tools are not browsers. Anything like a certificate warning for the certificate authority, mismatch domain name or (expiration) will cause the exchange of information to fail (or error out). The automated tools we use in testing behave the same. So to clarify: 1. Is there an app that anyone is familiar with that will duplicate Verisign's Certificate Authority in a way that would eliminate any type of warning. (It seems like apache and openssl are out). 2. Does freshmeats.com's CAtool, MS Cert Authority, or any other software supply certificates that would not present any warning message? Thanks again! Jared -----Original Message----- From: Don Fike [mailto:fike () cs utk edu] Sent: Tuesday, September 23, 2003 11:08 AM To: Jared Ingersoll Cc: 'sectools () securityfocus com'; 'webappsec () securityfocus com' Subject: Re: Open Source Certificate authority You can try using openssl; http://www.openssl.org/docs/HOWTO/keys.txt http://www.openssl.org/docs/HOWTO/certificates.txt On Tue, 23 Sep 2003, Jared Ingersoll wrote:Hi Folks, I am looking for an open source or freely available tool (and/or documentation) that I can use to create 40-bit https certificates to useinconjunction with iPLanet 6 (SunOne) enterprise servers on SunOS. We currently are in the middle of a project of creating a QA environmentwherewe need to duplicate several sites served over https. Obviously, thesecertswill need to work with common browsers such as IE and Netscape. Currentlyweuse verisign to create these certs, but at $250 a pop, the cost adds up quickly. I'm open to any unix variant or MS platform. gracias, jared
Current thread:
- Open Source Certificate authority Jared Ingersoll (Sep 23)
- Re: Open Source Certificate authority Don Fike (Sep 23)
- Re: Open Source Certificate authority Keith W. McCammon (Sep 23)
- <Possible follow-ups>
- RE: Open Source Certificate authority Tenorio, Leandro (Sep 23)
- RE: Open Source Certificate authority Jared Ingersoll (Sep 23)
- Re: Open Source Certificate authority Alex Russell (Sep 23)
- Re: Open Source Certificate authority George W. Capehart (Sep 24)
- Re: Open Source Certificate authority Chackan Lai (Sep 23)
- Re: Open Source Certificate authority Keith W. McCammon (Sep 24)
- RE: Open Source Certificate authority Dave Ockwell-Jenner (Sep 24)
- Re: Open Source Certificate authority Dorian Moore (Sep 24)
- RE: Open Source Certificate authority TUER, DON (Sep 24)
- Re: Open Source Certificate authority Alex Russell (Sep 23)
- RE: Open Source Certificate authority Lapinski, Michael (Research) (Sep 23)
- RE: Open Source Certificate authority Tenorio, Leandro (Sep 23)
- RE: Open Source Certificate authority Chip Kelly (Sep 24)
- RE: Open Source Certificate authority Lapinski, Michael (Research) (Sep 24)
- RE: Open Source Certificate authority Jared Ingersoll (Sep 24)
- RE: Open Source Certificate authority Law, Gary, (FNB) (Sep 24)
- RE: Open Source Certificate authority Jared Ingersoll (Sep 24)
- Re: Open Source Certificate authority George W. Capehart (Sep 24)