[wplug] SSL Certificates and Keys

Patrick Chiang patrick at fany.info
Sat Nov 20 17:18:07 EST 2004


Hi Brandon,

I'm not good in SSL, 
but I'd like to share with you my 2 cents :)
Of course you can correct me any time.

about your question 1, how does the client know that the certificate is
valid? 
it's a bit complicated, I think my poor english cannot explain it well. 
plz refer to the conversation below.

server : plz connect me by SSL. Here is my certificate.
(ie, a certificate will contain a pub key)
client : ok. I assume you have a private key in your pocket. 
           Now I encrypted SOMETHING with your pub key, 
           if you do have a private key, you should be able to decrypt
my messages
           and tell me "what's the content of SOMETHING."
          (now, the client encrypted a word "abcde" by the server's pub
key,
           and send it back to server)
server : Hmm, I recevied your messages. Now I use my private key to
decode your msgs,
            and ... OK, client's secret is abcde.
           (Server send the word "abcde" to client and ask, "Is abcde
your secret word, right?"
client : Bingo, you do have a private key. ok, I trust your certificate.

The example above just explained a self-signed certificate. If a
certificate is issued by other CA, the conversation between clients and
servers should be more complicated.

Regarding your Second question: 
Once I've generated a certificate, is there any reason to
keep the private key around, or is it superfluous?  

Private key should be always kept safely, once you lost it, your key
pair is totally useless. 
You can see the example above, to understand the importance of private
key. And your question 2a: is there any reason to password-protect
either my private key or my certificate? I think by default private key
will be protected by a DSA/RSA password.  I think its purpose is to only
enhance the difficulities for crackers to guess your private key.  You
can run

 openssl rsa -in your_encrypted_key.pem > unprotected_private_key.pem

to decrypt a protected private key, any time.

Your last question,what is the best way for me to inspect a certificate?
You can run
openssl x509 -text -in myserver.crt                            ; view
the contest
openssl x509 -text -in myserver.crt -noout -purpose     ; view the
purpose
openssl x509 -text -in myserver.crt -noout -dates        ; view the
valid date

HTH :)

Patrick
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: =?UTF-8?Q?=E9=80=99=E6=98=AF=E6=95=B8=E4=BD=8D=E5=8A=A0=E7=B0=BD?=
	=?UTF-8?Q?=E7=9A=84=E9=83=B5?= =?UTF-8?Q?=E4=BB=B6?=
Url : http://penguin.wplug.org/pipermail/wplug/attachments/20041120/9f5b57b5/attachment.bin


More information about the wplug mailing list