Re: Open Source Certificate authority

[Dorian Moore <lists () dorianmoore com>]

A little explanation:

Only certificates which are signed by a registered Certification Authority
will get past without a warning, this is because the certificates purpose is
to authenticate that the person you are transmitting the details to is who
they say they are, which is proven by a trusted third party, in this
instance Verisign. The CA basically signs your SSL certificate saying it is
valid and trust should come without a warning.

In some[most?] browsers you can set up your own Certification Authority and
get users to install your CA certificate, which means that any future
certificates that you sign as authentic will not display a warning. This may
be a solution, and you could do it using OpenSSL

Otherwise you have to have an alternate trusted Certificate Authority which
is already trusted by your browser manufacturer and hence is featured in
their install. There are several other authorities other than Verisign you
can use. I use Thawte [http://www.thawte.com] as they are cheaper. But you
still have to pay I'm afraid.

The point of the CA is to provide trust. If anyone could be a CA without
warning then the CA would be useless as anyone could sign their own
certificate, and you could create certificate's passing off to be other
people.

Hope this is of some help

_d._ 

on 23/09/03 5:10 pm the person going by the name Jared Ingersoll at
jared () cswv com spake :

> Thanks for all of the useful info. Let me narrow my request one step more so
> I don't spend any time installing and configuring something that does not
> work.  The point of using an alternate Certificate Authority is to mimic the
> exact communication between the client and server. Our application has an
> interface to it that 3rd parties develop their own tools to utilize. These
> tools are not browsers. Anything like a certificate warning for the
> certificate authority, mismatch domain name or (expiration) will cause the
> exchange of information to fail (or error out). The automated tools we use
> in testing behave the same. So to clarify:
>
> 1. Is there an app that anyone is familiar with that will duplicate
> Verisign's Certificate Authority in a way that would eliminate any type of
> warning. (It seems like apache and openssl are out).
> 2. Does freshmeats.com's CAtool, MS Cert Authority, or any other software
> supply certificates that would not present any warning message?
>
> Thanks again!
>
> Jared
>
> -----Original Message-----
> From: Don Fike [mailto:fike () cs utk edu]
> Sent: Tuesday, September 23, 2003 11:08 AM
> To: Jared Ingersoll
> Cc: 'sectools () securityfocus com'; 'webappsec () securityfocus com'
> Subject: Re: Open Source Certificate authority
>
>
>
> You can try using openssl;
>
> http://www.openssl.org/docs/HOWTO/keys.txt
>
> http://www.openssl.org/docs/HOWTO/certificates.txt
>
>
>
> On Tue, 23 Sep 2003, Jared Ingersoll wrote:
>
> > Hi Folks,
> >
> > I am looking for an open source or freely available tool (and/or
> > documentation) that I can use to create 40-bit https certificates to use
> in
> > conjunction with iPLanet 6 (SunOne) enterprise servers on SunOS. We
> > currently are in the middle of a project of creating a QA environment
> where
> > we need to duplicate several sites served over https. Obviously, these
> certs
> > will need to work with common browsers such as IE and Netscape. Currently
> we
> > use verisign to create these certs, but at $250 a pop, the cost adds up
> > quickly. I'm open to any unix variant or MS platform.
> >
> >
> > gracias,
> > jared