I sent the email below yesterday, but I sent it before I completed the
subscription process for the openssl-users list. So, my guess is that
it wasn't sent. If you're seeing again, my apologies.
Sandia National Laboratories
Email: [hidden email]
From: Bencoe, Michael K
Sent: Sunday, June 05, 2005 7:34 PM
To: [hidden email] Subject: CA certificate authentication and more
Our development team just completed a successful experiment using SSL
and mutual certificate authentication between a Java socket server and a
C++ socket client. The C++ client used OpenSSL, while the Java server
used the SSL services provided with the 1.4 SDK. For the experiment, we
created the certificate files/stores and key files/stores with OpenSSL
and Java utilities.
Our Java server is a servlet that will run under Weblogic. We recently
learned that a CA-signed certificate signed by a major commercial CA
(VeriSign, Entrust, etc.) will be used for the Weblogic servlet. Since
our team is relatively new to SSL in general, and OpenSSL in particular,
we had the following questions/requests:
1. Can anyone provide me a C or C++ code snippet for OpenSSL client
authentication of a
CA-signed server certificate?
2. We thought it would be good idea to use the Java cacerts store to
authenticate the server
certificate, since it is supposed to be able to authenticate all
of the major CAs. We
expect to have to convert cacerts to a format that OpenSSL
a. Is this a good idea? If not, what is a better approach?
b. Does the cacerts file need to be converted to a format
OpenSSL perfers (e.g., PEM)?
If so, could someone send me the syntax for the OpenSSL or
command that would be used to transform it?
Thanks in advance for any help and guidance you can provide.
> Our development team just completed a successful experiment using SSL
> and mutual certificate authentication between a Java socket server and a
> C++ socket client. The C++ client used OpenSSL, while the Java server
> used the SSL services provided with the 1.4 SDK. For the experiment, we
> created the certificate files/stores and key files/stores with OpenSSL
> and Java utilities.
I'm not a Java guy but be aware that the 1.4JDK only supports keys up to
1024 bits. If you need bigger key lengths (e.g., 2048, 4096) you'll need
to go to 1.5+
J. Wren Hunt
Cambridge, MA. USA
"I have never killed anyone, but I have read some obituaries with some
satisfaction." - Clarence Darrow.