Self-signed keys...

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Self-signed keys...

Ron Muck

Hi,
My current System is:
        OS:                Windows XP SP2
        Compiler:        MSVC++ 6 SP5
        OpenSSL:        0.9.7e 25 Oct 2004

I am new to SSL and am currently converting our application's communication layer over to used SSL.  For the time
being I do not want to go through an official CA to get a signed certificate so I am currently generating my
private key without a password and my certificate is self signed:

        myprivkey.pem:  openssl genrsa -out myprivkey.pem 2048
        mycert.pem:         openssl req -new x509 -key myprivkey.pem -out mycert.pem

I have a couple of questions regarding this approach:
1.  How safe is running with self signed keys?  If this is not safe, what are my options regarding CA signing...
     my understanding is that most CA services charge for signing and I am unaware of a "free" CA.

2.  I am developing both a client and server application and am somewhat confused as to what needs to be
    delivered to the end-user?  In my testing, as long as my server has the private key and certificate files to read in,
    communication works fine.  This leads me to believe that the example is simply doing Server Authentication?

3.  I have been made aware of the Microsoft's Certificate Import Wizard...do I need to add my generated certificate as
    a Trusted Certificate Authority?  Is distributing the private key and certificate safe or is there another way?

Thanks in advance for any help in these matters,

Ron Muck
Senior Software Engineer
[hidden email]
503.579.1414  x5054
www.nobeltec.com
Reply | Threaded
Open this post in threaded view
|

Re: Self-signed keys...

Ken Goldman
> From: [hidden email]
> Date: Tue, 24 May 2005 09:24:19 -0700
>
> I am new to SSL and am currently converting our application's
> communication layer over to used SSL.  For the time
> being I do not want to go through an official CA to get a signed
> certificate so I am currently generating my
> private key without a password and my certificate is self signed:
>
>         myprivkey.pem:  openssl genrsa -out myprivkey.pem 2048
>         mycert.pem:      openssl req -new x509 -key myprivkey.pem -out
> mycert.pem
>
> I have a couple of questions regarding this approach:
> 1.  How safe is running with self signed keys?  If this is not safe, what
> are my options regarding CA signing...
>      my understanding is that most CA services charge for signing and I am
> unaware of a "free" CA.

For testing, I suppose safe isn't an issue.

Assuming it's a public application, if I gave you a self signed
certificate saying I'm Isaac Newton, would you trust it?  If I ran a
free CA, and would issue a certificate to anyone who said they were
Isaac Newton, would you trust my CA certification?

I hope you answered, "No."

The value add of a CA is that they check to see that I am who I claim
to be.  Signing is cheap; you pay for the trust behind the signature.
You accept that you trust their procedures when you install the
certificate.
>
> 2.  I am developing both a client and server application and am somewhat
> confused as to what needs to be
>     delivered to the end-user?  In my testing, as long as my server has
> the private key and certificate files to read in,
>     communication works fine.  This leads me to believe that the example
> is simply doing Server Authentication?

It sounds like you are correct.

Client certification works similarly.  The client generates a key
pair, sends the certificate request to a CA that you trust, and sends
you the resulting certificate at connection time.

> 3.  I have been made aware of the Microsoft's Certificate Import
> Wizard...do I need to add my generated certificate as
>     a Trusted Certificate Authority?  

Is this the import into IE?  By importing a CA certificate, you are
telling IE to trust any certificate signed by that CA.  In general,
you install CA certificates.  The certificates of the connecting
parties are exchanged at connection time, and don't get installed.

> Is distributing the private key and
> certificate safe or is there another way?

You never distribute a private key.  You distribute the public key in
the form of a certificate.

--
Ken Goldman   [hidden email]   914-784-7646
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]