Re: Open Source Certificate authority

["Keith W. McCammon" <keith-list () mccammon org>]

> Thanks for all of the useful info. Let me narrow my request one step more so
> I don't spend any time installing and configuring something that does not
> work.  The point of using an alternate Certificate Authority is to mimic the
> exact communication between the client and server. Our application has an
> interface to it that 3rd parties develop their own tools to utilize. These
> tools are not browsers. Anything like a certificate warning for the
> certificate authority, mismatch domain name or (expiration) will cause the
> exchange of information to fail (or error out). The automated tools we use
> in testing behave the same. So to clarify:

Typically, certificate-dependent apps/services will not present a 
warning message if:

- The issuing CA is trusted by the software/system that is attempting to 
make us of or validate the cert.  Verisign, Entrust, et al. happen to be 
trusted by the major software vendors.  As such, clients need not 
download the CA certification path and/or CA certificate, and will not 
receive any "untrusted authority" type messages.

- The certificate CN matches the host name requested by the client

- Neither the host certificate, nor any certificates in the chain of 
trust have been revoked or have expired.

- And so on...

> 1. Is there an app that anyone is familiar with that will duplicate
> Verisign's Certificate Authority in a way that would eliminate any type of
> warning. (It seems like apache and openssl are out).

Sure, any CA that is trusted by the client(s), and any client software 
that can ignore other non-trust-related issues.

Regarding your OpenSSL citation, OpenSSL is not returning an error to 
the client; the client is generating the error based on the request 
information, as well as the information contained within the certificate 
in question.  It's not so much a matter of one side sending the other an 
error message--it's a mismatch.

> 2. Does freshmeats.com's CAtool, MS Cert Authority, or any other software
> supply certificates that would not present any warning message?

Again, this is dependent on the client.  If the client is set up to 
ignore these errors, then they're not a problem.  If the client is 
incapable of ignoring these errors, then the client needs to:

- Install the CA certificate and/or path to prevent trust errors

- Use the correct host name (matching the CN associated with the 
certificate)

- Ignore things like revocation and expiration, if the certificate is 
known to be out of date or otherwise invalid.

Hope this helps.  Sorry for the length.  Hope I'm not missing the point 
entirely.

Cheers,

Keith