[wplug] SSL Certificates and Keys

Tom Rhodes trhodes at FreeBSD.org
Mon Nov 22 11:17:40 EST 2004 

On Fri, 19 Nov 2004 20:54:44 -0500 (EST)
Brandon Kuczenski <brandon at 301south.net> wrote:

> I decided that I should install SSL certificates on my computer so that my
> users can check their mail over IMAP in a secure fashion.  I have been
> reading docs and things, and I have come to the point where I think I need
> just a few clarifications.
> 
> I'm using OpenSSL.  Just correct me if I say something wrong.
> 
> So, it seems to me that there are three different components to SSL:
> public keys, private keys, and certificates.  I create a private key with
> genrsa(1), and can then use rsa(1) to make a public key.  I can use req(1)
> to make a certificate signing request, or to make a certificate itself,
> which is self-signed, and called X.509 format.
> 
> Then I point my IMAP server at the certificate.  It uses the certificate
> to offer a public key to the client.  First question: how does the client
> know that the certificate is valid?  Does it simply observe that the
> certificate is self-signed (and possibly inform the user)?

Yes, it notices the 'self signed' certificate and informs the
user that it was not signed by a "Certificate Authority" or just
"CA."  Verisign will act as a CA for you, but that costs money.

> 
> Anyway, the client uses the public key, which is certified, to negotiate
> a secure connection with the server (probably by generating its own key
> and sending that, encrypted, to the server -- I'm not sure exactly, but
> it doesn't seem important).  Thereafter, communication is encrypted in
> both directions.

You can deliver to the users, a public certificate, which they can
store on their machines.  This, I believe, allows for a system
similar in style to PKI (public key infrastructure).

> 
> Second question: Once I've generated a certificate, is there any reason to
> keep the private key around, or is it superfluous?  What's the difference
> in information content between the certificate and the private key?

Yes, keep it.

> 
> Related (call it question 2a): is there any reason to password-protect
> either my private key or my certificate?  Is there any advantage gained by
> password-protecting one and not the other?  I don't want to have to put in
> the certificate password every time the IMAP server starts up.

Security.  I wouldn't want to have a situation like the following
outside of FreeBSD[1]:

Tom Rhodes: "Hi, I'm Tom Rhodes"
Some asshole: "No, I'm Tom Rhodes, here are my credentials"
...

> 
> Final question (question 3): what is the best way for me to inspect a
> certificate (i.e. when I create the certificate I put in information like
> my city, state, email address, and I specify how long the certificate
> should be good for.  How can I read that back from the certificate file?)

If there isn't a command, I assume you're using OpenSSL which I'm
not completely familiar with, but you could always connect to your
system through a secure session and evaluate the information.

I'm sure there are a few things which can be done a little easier,
but I lack the time to investigate.

[1]: Ask Bill Moran about the "Real Tom Rhodes"&trade; joke going
     around FreeBSD.  :)

-- 
Tom Rhodes

More information about the wplug mailing list