WebApp Sec mailing list archives
RE: Open Source Certificate authority
From: "Chip Kelly" <Chip.Kelly () sas com>
Date: Tue, 23 Sep 2003 14:39:39 -0400
The only way to prevent an authentication challenge in a browser is to use a certificate that is vetted to a trusted root certificate previously installed in the browser. That's what Verisign is selling for $250, a certificate that will not be challenged by almost any web browser in use on the Internet. To replace the Verisign cert, and still avoid the authentication challenge, you will need to use a certificate that is similarly vetted to a previously installed trusted root cert. There are other vendors with similar coverage to Verisign (Baltimore, Entrust, Valicert, etc.) that also sell SSL certs for a little more than half of what Verisign charges. If you choose to use your own CA, whether its MSFT or openSSL, you will not be able to avoid the authentication challenge until you vet your root certificate with one of the trusted root certificates that are already loaded into the browser that your client will use to access your site or application. That process is costly, since you are then able to generate an unlimited number of certs, all vetted to a root certificate that is recognized and trusted. chip ---- Chip Kelly, GCIA, GCIH, CISSP Systems and Information Security Manager SAS Institute Inc. Chip.Kelly () sas com RA462 voice: 919-531-7033 fax:919-677-4444 mobile: 919-606-8230 pager: 919-503-7816 -----Original Message----- From: Tenorio, Leandro [mailto:ltenorio () intelaction com] Sent: Tuesday, September 23, 2003 1:12 PM To: Jared Ingersoll; sectools () securityfocus com; webappsec () securityfocus com Subject: RE: Open Source Certificate authority U will receive a warning message unless u use a truhtfully certicate autority like verisign. On the other hand if you install the certificate created with any product the first time u use, u will never receive a warning message again. -----Original Message----- From: Jared Ingersoll [mailto:jared () cswv com] Sent: Tuesday, September 23, 2003 1:11 PM To: 'sectools () securityfocus com'; 'webappsec () securityfocus com' Subject: RE: Open Source Certificate authority Thanks for all of the useful info. Let me narrow my request one step more so I don't spend any time installing and configuring something that does not work. The point of using an alternate Certificate Authority is to mimic the exact communication between the client and server. Our application has an interface to it that 3rd parties develop their own tools to utilize. These tools are not browsers. Anything like a certificate warning for the certificate authority, mismatch domain name or (expiration) will cause the exchange of information to fail (or error out). The automated tools we use in testing behave the same. So to clarify: 1. Is there an app that anyone is familiar with that will duplicate Verisign's Certificate Authority in a way that would eliminate any type of warning. (It seems like apache and openssl are out). 2. Does freshmeats.com's CAtool, MS Cert Authority, or any other software supply certificates that would not present any warning message? Thanks again! Jared -----Original Message----- From: Don Fike [mailto:fike () cs utk edu] Sent: Tuesday, September 23, 2003 11:08 AM To: Jared Ingersoll Cc: 'sectools () securityfocus com'; 'webappsec () securityfocus com' Subject: Re: Open Source Certificate authority You can try using openssl; http://www.openssl.org/docs/HOWTO/keys.txt http://www.openssl.org/docs/HOWTO/certificates.txt On Tue, 23 Sep 2003, Jared Ingersoll wrote:
Hi Folks, I am looking for an open source or freely available tool (and/or documentation) that I can use to create 40-bit https certificates to use
in
conjunction with iPLanet 6 (SunOne) enterprise servers on SunOS. We currently are in the middle of a project of creating a QA environment
where
we need to duplicate several sites served over https. Obviously, these
certs
will need to work with common browsers such as IE and Netscape. Currently
we
use verisign to create these certs, but at $250 a pop, the cost adds up quickly. I'm open to any unix variant or MS platform. gracias, jared
Current thread:
- RE: Open Source Certificate authority, (continued)
- RE: Open Source Certificate authority Jared Ingersoll (Sep 23)
- Re: Open Source Certificate authority Alex Russell (Sep 23)
- Re: Open Source Certificate authority George W. Capehart (Sep 24)
- Re: Open Source Certificate authority Chackan Lai (Sep 23)
- Re: Open Source Certificate authority Keith W. McCammon (Sep 24)
- RE: Open Source Certificate authority Dave Ockwell-Jenner (Sep 24)
- Re: Open Source Certificate authority Dorian Moore (Sep 24)
- RE: Open Source Certificate authority TUER, DON (Sep 24)
- Re: Open Source Certificate authority Alex Russell (Sep 23)
- RE: Open Source Certificate authority Lapinski, Michael (Research) (Sep 23)
- RE: Open Source Certificate authority Tenorio, Leandro (Sep 23)
- RE: Open Source Certificate authority Chip Kelly (Sep 24)
- RE: Open Source Certificate authority Lapinski, Michael (Research) (Sep 24)
- RE: Open Source Certificate authority Jared Ingersoll (Sep 24)
- RE: Open Source Certificate authority Law, Gary, (FNB) (Sep 24)
- RE: Open Source Certificate authority Jared Ingersoll (Sep 24)
- Re: Open Source Certificate authority George W. Capehart (Sep 24)
- RE: Open Source Certificate authority Jared Ingersoll (Sep 23)