I have created a CA using OpenSSL. Now i want my server to send Certificate Signing Request(CSR) to CA and receive the signed certificate.
My question is, Is there any specific method provided by OpenSSL to transfer the CSR and signed certificate between the CA and server? Or i should just send the CSR to CA using any method (e.g. my own client-server program that sends CSR and receives signed certificate) and receive the signed certificate in same way.
Hope I have clearly stated my question. Waiting for response.
Regards
Related
I am using OpenSSL program to generate my SSL self-signed certificate, created a CA certificate and a webserver certificate. The webserver certificate, I have signed it with the CA certificate. I created a keystore with Java's keytool to import webserver's certificate.
On the client side, I have imported the CA certificate inside client's Certificate Manager, under the "Trusted Root Certification Authorities".
In theory, is this way considered as a One way TLS or a Two way TLS communication?
Thank you so much for the help!
In TLS protocol by default the client validates servers authenticity, the server sends its certificate during the handshake and the client validates it with the CA certificate in its trust store. It is one way setup
For two way, during the handshake, the server also asks for certificate from client,it validates the certificate sent by the client with the CA certificate in its trust store. So if you want to use two way setup, you need to generate client CA certificate and client certificate(it will be signed by the client CA certificate), the same CA certificate you need to configure at server so that it(server) will be able to validate the client certificate it received during the handshake.
You can also decide to keep same CA certificate for both client and server certificates, making sure client and server certificates are signed by the same CA
I have to create an SSL connection between a client and a server. I've created a keypair and signed my public key with my private key. The server won't trust this so I need to get it signed by a CA. I presume that the server will trust a certificate which has been signed by the same CA as was used to sign its own certificate. How do I do the business of creating the signed certificate with keytool? Sorry if this is duplicated information on the Oracle website, but for some reason their pages keep breaking my internet browser.
knowledge so far is based on answer here
I presume that the server will trust a certificate which has been signed by the same CA as was used to sign its own certificate.
Correcting your assumption here: A system trusts various major Certificate Authorities (CA) by default (eg: GeoTrust, Entrust, OpenTrust, Verisign, etc...). When you get your CSR signed by any of these known CA's, the server will trust by default, not just by the CA that signed the server's certificate.
What you could do to test your SSL connection between the client and the server is to work with self-signed certificates.
I've created a keypair and signed my public key with my private key
You shouldn't be doing this as a client. The server is supposed to do this. If the server is working with self-signed certificates, they need to provide the client with that certificate, so that the clients can trust them to make the SSL connection.
As a server, you could use the keytool to create a self-signed certificate. When you are generating a keypair using keytool, it will ask you few attributes like commonName, organizationName, etc... using these attributes, the keytool will create a self-signed certificate and associate it with the private key. All you have to do is export this certificate using the keytool -exportcert command. Once you have done this part, you would use this certificate to secure the server.
Once the server is secured, the server should give or the client this certificate, because it is self-signed and the client's system will not trust it until you explicitly trust it. If the server has secured using a certificate signed by a CA, it need not provide the client with any certificate, because, if it is a known CA, it will already be trusted by the client system.
I wonder if anyone can provide more detailed description of point 2 of the answer to How are ssl certificates verified?.
What algorithms are used to verify that the certificate was signed by the trusted CA? What ideas are they based on? Why it is not possible to simulate trusted CA signature (make a certificate that the browser will treat as valid)?
It's a digital signature. You can verify it via the public key in the associated certificate. The algorithms are as specified in the certificate itself.
If I understand SSL/TLS correctly in server only authentication, After the handshake, the server sends the client it's public key and a digitally signed certificate signed by a CA. If the client has this CA's public key, it can decrypt the certificate and establish trust with the server. If it does not trust the CA, then the communication stops. In 2 way SSL where the client needs to authenticate back to the server, after the client receives the public key and the digitally signed cert then the client will send the server over it's public key and a digitally signed cert. The server will check to see if it has a public key for the client's cert and if it does it can establish trust with the client. I am setting up mutual authentication [ 2 way ssl] on a weblogic server [in this case the client, calling outbound to a web service] and the third party sent me a digitally signed cert and a certificate chain. Why do I need these. Isn't this what the server replies with after the handshake?
the server sends the client it's public key and a digitally signed certificate signed by a CA.
The certificate contains the public key. The key is not sent extra.
If the client has this CA's public key, it can decrypt the certificate
The certificate is not encrypted, it is signed by the CA. Thus no decryption is done but the client can verify this signature if the client has the CA's certificate (and thus its public key). But usually the certificate is not signed directly by a CA trusted by the browser but there are intermediate certificates. In this case the server will not only send the servers certificate but also all intermediate certificates which are needed to build the trust chain.
then the client will send the server over it's public key and a digitally signed cert.
Again, the public key is part of the certificate.
the third party sent me a digitally signed cert and a certificate chain. Why do I need these.
The first certificate is the client certificate. The chain certificates are needed to build the trust chain because the server does not trust the issuer CA of the clients certificate directly and thus needs the intermediate certificates.
I'm trying to create web application with client certificates, generated programmatically. My main problem is following: I've added generated .p12 keystore to my web browser, but it doesn't send certificate to the server.
How does browser understand which x509 certificate it should use? And is it possible to debug SSL in Chrome of Firefox?
SSL/TLS server sends Certificate Request message (see RFC 4346 for TLS 1.1 or others). In this message there is only certificate type and acceptable certificate authorities names, so server doesn't tell anything about particular certificate.
The possible reason is that your certificate of invalid type (i.e. DSA instead of RSA but key exchange algorithm depends on client RSA certificate), or server requests certificate of different certificate authority.