RE: Open Source Certificate authority

[Jared Ingersoll <jared () cswv com>]

Hi All,

Before this degenerates into a philosophical discussion of what makes an
authority trusted, I want to send thanks to everyone for their suggestions
as I have already successfully setup the environment I was looking for using
(mostly) information provided by these two lists. I have decided to use the
MS Cert Authority since it is out of the box and did not require any setup
etc. It worked quite nicely with my iplanet server. Some info that was sent
along off list to me personally was helpful as well, especially the Java
related stuff for passing my own list of trusted certificate authorities.

I have to say that this has been one of the more quickly moderated and
productive lists I have subscribed to in recent memory.

Thanks again,

Jared

> Thanks for all of the useful info. Let me narrow my request one step more
so
> I don't spend any time installing and configuring something that does not
> work.  The point of using an alternate Certificate Authority is to mimic
the
> exact communication between the client and server. Our application has an
> interface to it that 3rd parties develop their own tools to utilize. These
> tools are not browsers. Anything like a certificate warning for the
> certificate authority, mismatch domain name or (expiration) will cause the
> exchange of information to fail (or error out). The automated tools we use
> in testing behave the same. So to clarify:
>
> 1. Is there an app that anyone is familiar with that will duplicate
> Verisign's Certificate Authority in a way that would eliminate any type of
> warning. (It seems like apache and openssl are out).
> 2. Does freshmeats.com's CAtool, MS Cert Authority, or any other software
> supply certificates that would not present any warning message?
>
> Thanks again!
>
> Jared
>
> -----Original Message-----
> From: Don Fike [mailto:fike () cs utk edu]
> Sent: Tuesday, September 23, 2003 11:08 AM
> To: Jared Ingersoll
> Cc: 'sectools () securityfocus com'; 'webappsec () securityfocus com'
> Subject: Re: Open Source Certificate authority
>
>
>
> You can try using openssl;
>
> http://www.openssl.org/docs/HOWTO/keys.txt
>
> http://www.openssl.org/docs/HOWTO/certificates.txt
>
>
>
> On Tue, 23 Sep 2003, Jared Ingersoll wrote:
>
>  
>
> > Hi Folks,
> >
> > I am looking for an open source or freely available tool (and/or
> > documentation) that I can use to create 40-bit https certificates to use
> >    
> in
>  
>
> > conjunction with iPLanet 6 (SunOne) enterprise servers on SunOS. We
> > currently are in the middle of a project of creating a QA environment
> >    
> where
>  
>
> > we need to duplicate several sites served over https. Obviously, these
> >    
> certs
>  
>
> > will need to work with common browsers such as IE and Netscape. Currently
> >    
> we
>  
>
> > use verisign to create these certs, but at $250 a pop, the cost adds up
> > quickly. I'm open to any unix variant or MS platform.
> >
> >
> > gracias,
> > jared
> >
> >    
>
> .
>
>