CA certificate authentication

I sent the email below yesterday, but I sent it before I completed the
subscription process for the openssl-users list.  So, my guess is that
it wasn't sent.  If you're seeing again, my apologies.

Thanks!


Michael Bencoe
Organization 9512
Sandia National Laboratories
Phone: 505-844-6758
Fax:     505-844-2018
Email:  [hidden email]

-----Original Message-----
From: Bencoe, Michael K
Sent: Sunday, June 05, 2005 7:34 PM
To: [hidden email]
Subject: CA certificate authentication and more

Our development team just completed a successful experiment using SSL
and mutual certificate authentication between a Java socket server and a
C++ socket client.  The C++ client used OpenSSL, while the Java server
used the SSL services provided with the 1.4 SDK.  For the experiment, we
created the certificate files/stores and key files/stores with OpenSSL
and Java utilities.

Our Java server is a servlet that will run under Weblogic.  We recently
learned that a CA-signed certificate signed by a major commercial CA
(VeriSign, Entrust, etc.) will be used for the Weblogic servlet.  Since
our team is relatively new to SSL in general, and OpenSSL in particular,
we had the following questions/requests:

   1. Can anyone provide me a C or C++ code snippet for OpenSSL client
authentication of a
      CA-signed server certificate?

   2. We thought it would be good idea to use the Java cacerts store to
authenticate the server
      certificate, since it is supposed to be able to authenticate all
of the major CAs.  We
      expect to have to convert cacerts to a format that OpenSSL
prefers.  So:

          a. Is this a good idea? If not, what is a better approach?
          b. Does the cacerts file need to be converted to a format
OpenSSL perfers (e.g., PEM)?
             If so, could someone send me the syntax for the OpenSSL or
Java (keytool)
             command that would be used to transform it?

Thanks in advance for any help and guidance you can provide.










______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Bencoe, Michael K wrote:

> Our development team just completed a successful experiment using SSL
> and mutual certificate authentication between a Java socket server and a
> C++ socket client.  The C++ client used OpenSSL, while the Java server
> used the SSL services provided with the 1.4 SDK.  For the experiment, we
> created the certificate files/stores and key files/stores with OpenSSL
> and Java utilities.
>
I'm not a Java guy but be aware that the 1.4JDK only supports keys up to
1024 bits. If you need bigger key lengths (e.g., 2048, 4096) you'll need
to go to 1.5+

--

Cheers!

J. Wren Hunt
Cambridge, MA. USA

------------
"I have never killed anyone, but I have read some obituaries with some
satisfaction." - Clarence Darrow.

+------------------------------------------------------------------+
| v-card   http://wrenhunt.homelinux.org/data/wren.vcf             |
| x.509    http://wrenhunt.homelinux.org/data/thawte_wren_hunt.cer |
| OpenPGP  ADF5 1432 A59E 8F4D 4AE7  4DFE 03FA 91E1 4A24 D6F4      |
+------------------------------------------------------------------+