Chaining x.509 certificates

Chaining x.509 certificates
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 General Computer Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Chaining x.509 certificates wdtj 04-27-2005
Posted by on April 27, 2005, 3:46 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I'm fairly new to x.509 certificates, etc. Please forgive a novice
question...

I work for a software development organization. We've used a Verisign
x.509 certificate (via keytool and jarsigner) to sign our jars before
they get shipped to customers for a few years. Now we're going to be
shipping a new product enhancement that uses https for security.

It looks like, with https, our customer will need their own x.509
certificate. They can, of course generate their own self-signed
certificate, or get one from Verisign, et al.

I'm wondering if there is a third option. For us to create a
sub-certificate off of our current one.

After digging through keytool and a whole pile of stuff on Google for a
day (and barely scratching the surface), I still have not figured out
the magical step of chaining a x.509 certificate. Keytool refers to
importing a chained certificate from the CA, but nothing about how the
CA creates it.

I suppose, if it were easy, Verisign would quickly go out of business
:{)>

Any suggestions or references would be greatly appreciated.



Posted by Edward A. Feustel on April 28, 2005, 7:29 am
If you were  Registered and logged in, you could reply and use other advanced thread options

> I'm fairly new to x.509 certificates, etc. Please forgive a novice
> question...
>
> I work for a software development organization. We've used a Verisign
> x.509 certificate (via keytool and jarsigner) to sign our jars before
> they get shipped to customers for a few years. Now we're going to be
> shipping a new product enhancement that uses https for security.
>
> It looks like, with https, our customer will need their own x.509
> certificate. They can, of course generate their own self-signed
> certificate, or get one from Verisign, et al.
>
> I'm wondering if there is a third option. For us to create a
> sub-certificate off of our current one.
>
> After digging through keytool and a whole pile of stuff on Google for a
> day (and barely scratching the surface), I still have not figured out
> the magical step of chaining a x.509 certificate. Keytool refers to
> importing a chained certificate from the CA, but nothing about how the
> CA creates it.
>
> I suppose, if it were easy, Verisign would quickly go out of business
> :{)>
>
> Any suggestions or references would be greatly appreciated.
>
>
The real question is whether your https protocol requires mutual
authentication.
That is, do you require that each client identify themselves with a
public/private key challenge.
If not, you only need a certificate for your servers. They need to identify
themselves to the
client, but not the other way around.

A chained certificate is when one CA certifies another one as a CA and not a
user. It has
some extra bits turned on in the certificate if this is so. Verisign
typically only signs CA certificates
for themselves and for users. You cannot "properly" sign a CA certificate
with a user's certificate
(as far as the certificate validation software is concerned).

Ed




----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! >100,000
Newsgroups
---= East/West-Coast Server Farms - Total Privacy via Encryption =---


Posted by jacost on April 28, 2005, 10:18 am
If you were  Registered and logged in, you could reply and use other advanced thread options
wdtj@yahoo.com napisaƂ(a):
> [...]
> It looks like, with https, our customer will need their own x.509
> certificate. They can, of course generate their own self-signed
> certificate, or get one from Verisign, et al.

If your user group is small, you can generate your own self-signed root
certificate (and key), and then generate certificates for your customers
using tools like OpenSSL (see the thread "Certificate Management Tools",
originated by TC on April 27, 18:35). You have to load your root
certificate into your customer's trusted certificate repositories to
avoid browser warnings.

> I'm wondering if there is a third option. For us to create a
> sub-certificate off of our current one.

A certificate contains extensions describing its allowed uses. The
certificate you got from Verisign probably doesn't allow
subcertification or issuing CRLs. So the software validating certificate
chain _should_ at least issue warnings on this.

> After digging through keytool and a whole pile of stuff on Google for a
> day (and barely scratching the surface), I still have not figured out
> the magical step of chaining a x.509 certificate. Keytool refers to
> importing a chained certificate from the CA, but nothing about how the
> CA creates it.

An answer by Ann & Lynn Wheeler to the post mentioned above lists many
references on this subject.

J.


Similar ThreadsPosted
Chaining x.509 certificates April 27, 2005, 3:48 pm
hosting a local CA using commercial certifcate chaining January 30, 2008, 4:56 am
X.509 Digital Certificates March 7, 2005, 8:56 pm
What are the differences between the certificates *.pfx *.p12 *.cer *.crt *.spc *.p7b ?? July 19, 2005, 2:02 pm
Wildcard SSL Certificates July 27, 2005, 10:30 am
sample X.509 certificates? February 20, 2007, 9:38 pm
Certificates Question March 27, 2007, 2:50 am
Value of SSL client certificates? October 19, 2007, 10:18 am
How to generate SSL certificates - a little howto March 22, 2005, 8:34 pm
Repository for digital certificates June 3, 2005, 1:50 pm

The site map in XML format XML site map

Contact Us | Privacy Policy