WebApp Sec mailing list archives
RE: Open Source Certificate authority
From: "Dave Ockwell-Jenner" <doj () solar-nexus com>
Date: Tue, 23 Sep 2003 13:58:58 -0400
The reason that you don't get a warning when you use the VeriSign certificates is that most browsers have a list of preset certificate authorities (CAs). When the SSL transaction is being negotiated, the browser will validate the server certificate it receives. If the certificate was issued by one of the browser's known CAs then the connection is made. If the CA is not found for the server certificate, you'll get some form of warning (which you don't want!) With OpenSSL, you could create your own CA certificate (a self-signed root certificate) and install it into your browser. This will add your CA to the list of known CAs the browser already has (like VeriSign, Thawte, etc.) You can then use your root CA to sign your own server certificates. This is a little involved, but it works. -- Dave Ockwell-Jenner Solar Nexus Solutions http://www.solar-nexus.com/ -----Original Message----- From: Jared Ingersoll [mailto:jared () cswv com] Sent: September 23, 2003 12:11 PM To: 'sectools () securityfocus com'; 'webappsec () securityfocus com' Subject: RE: Open Source Certificate authority Thanks for all of the useful info. Let me narrow my request one step more so I don't spend any time installing and configuring something that does not work. The point of using an alternate Certificate Authority is to mimic the exact communication between the client and server. Our application has an interface to it that 3rd parties develop their own tools to utilize. These tools are not browsers. Anything like a certificate warning for the certificate authority, mismatch domain name or (expiration) will cause the exchange of information to fail (or error out). The automated tools we use in testing behave the same. So to clarify: 1. Is there an app that anyone is familiar with that will duplicate Verisign's Certificate Authority in a way that would eliminate any type of warning. (It seems like apache and openssl are out). 2. Does freshmeats.com's CAtool, MS Cert Authority, or any other software supply certificates that would not present any warning message? Thanks again! Jared
Current thread:
- Open Source Certificate authority Jared Ingersoll (Sep 23)
- Re: Open Source Certificate authority Don Fike (Sep 23)
- Re: Open Source Certificate authority Keith W. McCammon (Sep 23)
- <Possible follow-ups>
- RE: Open Source Certificate authority Tenorio, Leandro (Sep 23)
- RE: Open Source Certificate authority Jared Ingersoll (Sep 23)
- Re: Open Source Certificate authority Alex Russell (Sep 23)
- Re: Open Source Certificate authority George W. Capehart (Sep 24)
- Re: Open Source Certificate authority Chackan Lai (Sep 23)
- Re: Open Source Certificate authority Keith W. McCammon (Sep 24)
- RE: Open Source Certificate authority Dave Ockwell-Jenner (Sep 24)
- Re: Open Source Certificate authority Dorian Moore (Sep 24)
- RE: Open Source Certificate authority TUER, DON (Sep 24)
- Re: Open Source Certificate authority Alex Russell (Sep 23)
- RE: Open Source Certificate authority Lapinski, Michael (Research) (Sep 23)
- RE: Open Source Certificate authority Tenorio, Leandro (Sep 23)
- RE: Open Source Certificate authority Chip Kelly (Sep 24)
- RE: Open Source Certificate authority Lapinski, Michael (Research) (Sep 24)
- RE: Open Source Certificate authority Jared Ingersoll (Sep 24)
- RE: Open Source Certificate authority Law, Gary, (FNB) (Sep 24)
- RE: Open Source Certificate authority Jared Ingersoll (Sep 24)
- Re: Open Source Certificate authority George W. Capehart (Sep 24)