RE: Open Source Certificate authority

["Lapinski, Michael (Research)" <lapinski () crd ge com>]

This is not a simple issue of accepting a cert and keeping it. 
It is a question of does the cert actually hold any water.

The purpose of companies like verisign (who yes are a money 
grubbing entity raping the end user) is that they have been 
established as "trusted" sources of certificates. What I mean
by trusted is that when you get a cert that has been signed 
by one of these you can be sure that the enitity is who they 
claim to be. 

If you setup your own certificate authority and manage your 
own infrastructure then I would think of it as appropriate 
that you advise yoru customers to accept the "untrusted" 
certificate that comes from your certificate authority and 
save it. If you don't want to do this your stuck shelling 
out cash to verisign. It's trade off depending on how many
certs you need.

-mtl


--------------------------------------------------
Michael Lapinski
Computer Scientist
GE Research


"I think there is a world market for maybe five computers."
            - IBM Chairman Thomas Watson, 1943

-----Original Message-----
From: Tenorio, Leandro [mailto:ltenorio () intelaction com] 
Sent: Tuesday, September 23, 2003 1:12 PM
To: Jared Ingersoll; sectools () securityfocus com; webappsec () securityfocus com
Subject: RE: Open Source Certificate authority


U will receive a warning message unless u use a truhtfully certicate
autority like verisign. On the other hand if you install the certificate
created with any product the first time u use, u will never receive a
warning message again.



-----Original Message-----
From: Jared Ingersoll [mailto:jared () cswv com] 
Sent: Tuesday, September 23, 2003 1:11 PM
To: 'sectools () securityfocus com'; 'webappsec () securityfocus com'
Subject: RE: Open Source Certificate authority

Thanks for all of the useful info. Let me narrow my request one step more so
I don't spend any time installing and configuring something that does not
work.  The point of using an alternate Certificate Authority is to mimic the
exact communication between the client and server. Our application has an
interface to it that 3rd parties develop their own tools to utilize. These
tools are not browsers. Anything like a certificate warning for the
certificate authority, mismatch domain name or (expiration) will cause the
exchange of information to fail (or error out). The automated tools we use
in testing behave the same. So to
clarify:

1. Is there an app that anyone is familiar with that will duplicate
Verisign's Certificate Authority in a way that would eliminate any type of
warning. (It seems like apache and openssl are out). 2. Does
freshmeats.com's CAtool, MS Cert Authority, or any other software supply
certificates that would not present any warning message?

Thanks again!

Jared

-----Original Message-----
From: Don Fike [mailto:fike () cs utk edu]
Sent: Tuesday, September 23, 2003 11:08 AM
To: Jared Ingersoll
Cc: 'sectools () securityfocus com'; 'webappsec () securityfocus com'
Subject: Re: Open Source Certificate authority



You can try using openssl;

http://www.openssl.org/docs/HOWTO/keys.txt

http://www.openssl.org/docs/HOWTO/certificates.txt



On Tue, 23 Sep 2003, Jared Ingersoll wrote:

> Hi Folks,
>
> I am looking for an open source or freely available tool (and/or
> documentation) that I can use to create 40-bit https certificates to
> use
in
> conjunction with iPLanet 6 (SunOne) enterprise servers on SunOS. We
> currently are in the middle of a project of creating a QA environment
where
> we need to duplicate several sites served over https. Obviously, these
certs
> will need to work with common browsers such as IE and Netscape.
> Currently
we
> use verisign to create these certs, but at $250 a pop, the cost adds
> up quickly. I'm open to any unix variant or MS platform.
>
>
> gracias,
> jared