[wplug] SSL Certificates and Keys

Brandon Kuczenski brandon at 301south.net
Fri Nov 19 20:54:44 EST 2004 

I decided that I should install SSL certificates on my computer so that my
users can check their mail over IMAP in a secure fashion.  I have been
reading docs and things, and I have come to the point where I think I need
just a few clarifications.

I'm using OpenSSL.  Just correct me if I say something wrong.

So, it seems to me that there are three different components to SSL:
public keys, private keys, and certificates.  I create a private key with
genrsa(1), and can then use rsa(1) to make a public key.  I can use req(1)
to make a certificate signing request, or to make a certificate itself,
which is self-signed, and called X.509 format.

Then I point my IMAP server at the certificate.  It uses the certificate
to offer a public key to the client.  First question: how does the client
know that the certificate is valid?  Does it simply observe that the
certificate is self-signed (and possibly inform the user)?

Anyway, the client uses the public key, which is certified, to negotiate
a secure connection with the server (probably by generating its own key
and sending that, encrypted, to the server -- I'm not sure exactly, but
it doesn't seem important).  Thereafter, communication is encrypted in
both directions.

Second question: Once I've generated a certificate, is there any reason to
keep the private key around, or is it superfluous?  What's the difference
in information content between the certificate and the private key?

Related (call it question 2a): is there any reason to password-protect
either my private key or my certificate?  Is there any advantage gained by
password-protecting one and not the other?  I don't want to have to put in
the certificate password every time the IMAP server starts up.

Final question (question 3): what is the best way for me to inspect a
certificate (i.e. when I create the certificate I put in information like
my city, state, email address, and I specify how long the certificate
should be good for.  How can I read that back from the certificate file?)

Thanks,
Brandon

More information about the wplug mailing list