[wplug] SSL Certificates and Keys
Tom Rhodes
trhodes at FreeBSD.org
Mon Nov 22 11:17:40 EST 2004
On Fri, 19 Nov 2004 20:54:44 -0500 (EST)
Brandon Kuczenski <brandon at 301south.net> wrote:
> I decided that I should install SSL certificates on my computer so that my
> users can check their mail over IMAP in a secure fashion. I have been
> reading docs and things, and I have come to the point where I think I need
> just a few clarifications.
>
> I'm using OpenSSL. Just correct me if I say something wrong.
>
> So, it seems to me that there are three different components to SSL:
> public keys, private keys, and certificates. I create a private key with
> genrsa(1), and can then use rsa(1) to make a public key. I can use req(1)
> to make a certificate signing request, or to make a certificate itself,
> which is self-signed, and called X.509 format.
>
> Then I point my IMAP server at the certificate. It uses the certificate
> to offer a public key to the client. First question: how does the client
> know that the certificate is valid? Does it simply observe that the
> certificate is self-signed (and possibly inform the user)?
Yes, it notices the 'self signed' certificate and informs the
user that it was not signed by a "Certificate Authority" or just
"CA." Verisign will act as a CA for you, but that costs money.
>
> Anyway, the client uses the public key, which is certified, to negotiate
> a secure connection with the server (probably by generating its own key
> and sending that, encrypted, to the server -- I'm not sure exactly, but
> it doesn't seem important). Thereafter, communication is encrypted in
> both directions.
You can deliver to the users, a public certificate, which they can
store on their machines. This, I believe, allows for a system
similar in style to PKI (public key infrastructure).
>
> Second question: Once I've generated a certificate, is there any reason to
> keep the private key around, or is it superfluous? What's the difference
> in information content between the certificate and the private key?
Yes, keep it.
>
> Related (call it question 2a): is there any reason to password-protect
> either my private key or my certificate? Is there any advantage gained by
> password-protecting one and not the other? I don't want to have to put in
> the certificate password every time the IMAP server starts up.
Security. I wouldn't want to have a situation like the following
outside of FreeBSD[1]:
Tom Rhodes: "Hi, I'm Tom Rhodes"
Some asshole: "No, I'm Tom Rhodes, here are my credentials"
...
>
> Final question (question 3): what is the best way for me to inspect a
> certificate (i.e. when I create the certificate I put in information like
> my city, state, email address, and I specify how long the certificate
> should be good for. How can I read that back from the certificate file?)
If there isn't a command, I assume you're using OpenSSL which I'm
not completely familiar with, but you could always connect to your
system through a secure session and evaluate the information.
I'm sure there are a few things which can be done a little easier,
but I lack the time to investigate.
[1]: Ask Bill Moran about the "Real Tom Rhodes"™ joke going
around FreeBSD. :)
--
Tom Rhodes
More information about the wplug
mailing list