[cvsnt] sserver with self-signed certificates
Charles Oram
charlesoram at hotmail.com
Tue Mar 14 20:04:09 GMT 2006
Tony wrote:
>Charles Oram wrote:
>>So if I install the user's self-signed certificate on the server, isn't
>>that just giving the server the user's public key so that the server can
>>authenticate the user? OK, I don't have the full chain of trust that you
>>have with signed certificates, but you need more than a username and
>>password to login to CVS then.
>
>That's not how SSL works - you create a local CA, then issue certificates
>from that CA to your clients. The server then knows it can trust the
>certificate as it was issued from its own (trusted) CA. You'd have to
>issue the ca.pem for your local CA of course...
>
>This not only allows you to control which clients can connect, but you can
>control things like the expiration date and revoke old clients easily.
>
>I know of no implementations that work as you suggest - the whole point of
>signing is you don't need huge databases of valid clients.. you'd end up
>with login time sucking as it'd have to compare every public key it knew
>about with the supplied one (that's even if it's possible to implement such
>a scheme in SSL.. you might not be able to get the presented keys & convert
>them into a useful format anyway).
OK, but is the server certificate that was generated with genkey is
self-signed? Can I just make my own client certifcates that are signed with
the server private key? And if so, how do you do it - can I just use the
openssl tools?
Thanks for your help.
Charles
_________________________________________________________________
Read the latest Hollywood gossip @ http://xtramsn.co.nz/entertainment
More information about the cvsnt
mailing list