Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:14:51 ADT
Richard Salz (salzr@certco.com)
Sat, 24 Jan 1998 20:16:34 -0500 (EST)
About two weeks ago I posted a summary of information on how to use
SSLeay to generate certificates that Internet Explorer could import.
Here is my (hopefully final) update.
Thanks to:
Mike Crooks <mikec@crownltd.com.au>
Allen Hadden <ahadden@taratec.com>
Andrew W. Gray <a.gray@opengroup.org>
Tom Titchener <t.titchener@opengroup.org>
Rick Cormier <r.cormier@opengroup.org>
Weidong Wang <wwang@isoft.com>
Frederick J. Hirsch <f.hirsch@opengorup.org>
Remo Tabanelli <remo@design.cds.tizeta.it>
Sergei O. Ivanov <sergiva@NWLINK.COM> (he posted on the CryptoAPI list)
A primary-source document is
http://www.camb.opengroup.org/RI/www/prism/wwwj/
which can also be found (unpublished version) at
http://www.camb.opengroup.org/~fjh/Papers/cook/ssl_cook.html
Samuel Liddicott's prepared an even simpler cookbook from Frederick's article:
http://vzone.virgin.net/samuel.liddicott/x509/x509.html
(See #4, below).
Use Dr. Steve Henson's PKCS12 patch for SSLeay. It allows you to
convert SSLeay generated keypairs and certificates to PKCS12 format
which can be loaded by IE4 and Netscape 4.04. PKCS12 is based on
PFX. Don't get confused (like I did:). The patch can be downloaded
from ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL. You can also find his
PFX kit there. Don't use PFX unless you need to. Note that PKCS12
is a work-in-progress; go to
ftp://ftp.rsa.com/pub/pkcs/pkcs-12/
There is a latest12.txt file which is an addendum to the pkcs12.pdf document.
1. Generate a new certificate request:
ssleay req -new -keyout privkey.pem >certreq.pem
Note that the SSLeay default keysize is 1024 bits, and that the
"Microsft Base Cryptographic Provider v1.0" , which is the default
provider to use, can only support up to 512 bits. So change your
CSP (if in the US or Canada), add "-newkey rsa:512" to the command
above, or edit your config file. Also, MS strictly enforces the
fact that client certificates must have their validity period
entirely within the CA's validity (this is good practice, but
sometimes folks get sloppy). This was a bit of a pain -- edit your
conf file or use the "-days nnn" flag in the req command shown
above. I also had what I think is a timezone/GMT problem (and I
was doing this the night before a big demo so those few incorrect
hours made a difference). I just hacked the code so the start date
is a week before today. Find the "gmtadjust" call in apps/req.c
and change the "0" to "-7*86400" :)
2. Sign the request with your CA:
ssleay ca -in certreq.pem >my_cert.notpem
Now you have a cetrificate (my_cert.notpem) and private key (privkey.pem).
When you load try to load the certificate into IE, if you get this error:
emailAddress type needs to be of type IA5STRING.
You will have to add the "-msie_hack" flag to the CA command here.
3. Read the PKCS12 readme and follow the directions for creating the package:
ssleay pkcs12 -export -name <some_name> <my_cert.notpem \
-inkey privkey.pem >my_pfx.p12
where some_name is the name that will appear in the browser dialogs
to identify the cert. Usually make this related to the commonName
RDN.
4. You'll need to load the CA's certificate into windows (you must
have admin rights to do this on NT). A quick way to do this:
ssleay x509 <(your_ca_cert.pem) -inform PEM
-outform DER >cacert.der
move the cacert.der file onto your windows machine and double click on it.
Dr. Henson points out that Netscape does not like standard SSLeay CA
certificates, and that this can mess up the Netscape user's certificate
store. See the ca-kludge documentation in his PFX (not PKCS12) kit.
(Those asking for more details are reminded to go look at the Subject
line of this note.)
Note that IE4 does not provide any way to remove certificates. You can
do it yourself by editing the registry:
HKEY_CURRENT_USER\Software\Microsoft\Cryptography\UserKeys
Note that certificates are identified by GUID (UUID) so you should
probably export them all to files if you inadvertently delete the
wrong one. Anyone have a little "certprune" tool around?
BTW, John Boyer wrote a very interesting article on the two different
trust models implemented by IE and Outlook Express. See
http://discuss.microsoft.com/SCRIPTS/WA-MSD.EXE?A2=ind9801d&L=cryptoapi&P=723
Hope folks find this useful. I don't particularly plan on updating this
document, but if someone else wants to take over its maintenance feel
free, particularly if they're gonna get it hitched up to a FAQ somewhere.
/r$
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:14:51 ADT