ZServerSSL and Certificates

Ng Pheng Siong ngps at netmemetic.com
Thu Aug 5 11:32:08 EDT 2004 

According to Sean <stuffduff at cox.net>:
> However I'm really not clear on
> certificates in general, and we're about to try it with real certs
> from a real CA.

Ahem, please read this sentence aloud to yourself. Does it sound like a
good idea?

> # openssl -des3 -out privatekey 1024
> # ./CA.pl -newreq

You mean 'openssl rsa ...' Anyways it is a no-op, given your second
command; i.e., 'CA.pl -newreq' generates a key pair.

> So I take privatekey.pem and the ca cert and combine them into a
> single file called ca.pem.

Why?

> # ./CA.pl -sign

This _signs_ your certificate request. Given that you've already gotten
your certificate request signed by a 3rd party CA, this step is
superfluous.

> # openssl rsa < newreq.pem > newkey.pem
> and I combine the server cert and newkey.pem and call it server.pem.

Yup this is fine provided your newreq.pem contains your private key.

> Microsoft IE6 first shows a request for a cert to use, 

This sounds like the server is asking for a client cert. Have you
configured your ZServerSSL to do so? I think the server doesn't do that by
default.

> I click OK to
> bypass it then a warning dialog that the ca is not trusted.

Is the 3rd party CA's cert installed into your IE6?

> Mozilla diaplays a panel warning that there are three potential
> problems.

What are the error messages?

> In either case if I ignore the warnings I get a secure connection.

You get a HTTPS connection. You are connecting to a site (well, your own,
in this case) which certificate's CA your browser does not trust.
"Secure" is a loaded word. ;-)

> I need to understand what I'm doing wrong here.

Read up more on how X.509 certificates are structured and on how SSL uses
them. 

Then go install one or more other SSL server products.  Follow their
instructions on installing certificates. Once you see how different
software packages do the same things it should become clearer to you.  Try
Apache + mod_ssl or AOLserver, say. Don't choose one where you configure
the stuff using Windows or web-based pointy-and-clicky interfaces - you
won't learn much that way.

HTH.


-- 
Ng Pheng Siong <ngps at netmemetic.com> 

http://firewall.rulemaker.net -+- Cisco PIX & Netscreen Config Version Control 
http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog

More information about the Python-list mailing list