WebApp Sec mailing list archives
RE: Open Source Certificate authority
From: Jared Ingersoll <jared () cswv com>
Date: Tue, 23 Sep 2003 15:13:16 -0400
Hi All, Before this degenerates into a philosophical discussion of what makes an authority trusted, I want to send thanks to everyone for their suggestions as I have already successfully setup the environment I was looking for using (mostly) information provided by these two lists. I have decided to use the MS Cert Authority since it is out of the box and did not require any setup etc. It worked quite nicely with my iplanet server. Some info that was sent along off list to me personally was helpful as well, especially the Java related stuff for passing my own list of trusted certificate authorities. I have to say that this has been one of the more quickly moderated and productive lists I have subscribed to in recent memory. Thanks again, Jared
Thanks for all of the useful info. Let me narrow my request one step more
so
I don't spend any time installing and configuring something that does not work. The point of using an alternate Certificate Authority is to mimic
the
exact communication between the client and server. Our application has an interface to it that 3rd parties develop their own tools to utilize. These tools are not browsers. Anything like a certificate warning for the certificate authority, mismatch domain name or (expiration) will cause the exchange of information to fail (or error out). The automated tools we use in testing behave the same. So to clarify: 1. Is there an app that anyone is familiar with that will duplicate Verisign's Certificate Authority in a way that would eliminate any type of warning. (It seems like apache and openssl are out). 2. Does freshmeats.com's CAtool, MS Cert Authority, or any other software supply certificates that would not present any warning message? Thanks again! Jared -----Original Message----- From: Don Fike [mailto:fike () cs utk edu] Sent: Tuesday, September 23, 2003 11:08 AM To: Jared Ingersoll Cc: 'sectools () securityfocus com'; 'webappsec () securityfocus com' Subject: Re: Open Source Certificate authority You can try using openssl; http://www.openssl.org/docs/HOWTO/keys.txt http://www.openssl.org/docs/HOWTO/certificates.txt On Tue, 23 Sep 2003, Jared Ingersoll wrote:Hi Folks, I am looking for an open source or freely available tool (and/or documentation) that I can use to create 40-bit https certificates to useinconjunction with iPLanet 6 (SunOne) enterprise servers on SunOS. We currently are in the middle of a project of creating a QA environmentwherewe need to duplicate several sites served over https. Obviously, thesecertswill need to work with common browsers such as IE and Netscape. Currentlyweuse verisign to create these certs, but at $250 a pop, the cost adds up quickly. I'm open to any unix variant or MS platform. gracias, jared.
Current thread:
- Re: Open Source Certificate authority, (continued)
- Re: Open Source Certificate authority George W. Capehart (Sep 24)
- Re: Open Source Certificate authority Chackan Lai (Sep 23)
- Re: Open Source Certificate authority Keith W. McCammon (Sep 24)
- RE: Open Source Certificate authority Dave Ockwell-Jenner (Sep 24)
- Re: Open Source Certificate authority Dorian Moore (Sep 24)
- RE: Open Source Certificate authority TUER, DON (Sep 24)
- RE: Open Source Certificate authority Lapinski, Michael (Research) (Sep 23)
- RE: Open Source Certificate authority Tenorio, Leandro (Sep 23)
- RE: Open Source Certificate authority Chip Kelly (Sep 24)
- RE: Open Source Certificate authority Lapinski, Michael (Research) (Sep 24)
- RE: Open Source Certificate authority Jared Ingersoll (Sep 24)
- RE: Open Source Certificate authority Law, Gary, (FNB) (Sep 24)
- RE: Open Source Certificate authority Jared Ingersoll (Sep 24)
- Re: Open Source Certificate authority George W. Capehart (Sep 24)