[thelist] Homegrown SSL

[Kevin Martin]

Quoth "Ken Schaefer" <ken at adOpenStatic.com> and others:

> : Irrelevant. I have tried installation after installation. Because the cert
> : is not verified through a valid certificate authority, you WILL get that
> : prompt. If someone can  out there can prevent the prompt with a
> : homegrown'er, I am very interested in the solution. We've been facing the
> : prompt for about two years now.

> It's only "irrelevant" because you don't understand how the certificate
> trust heirachy works. You need to import the certificate of the issuing CA
> (Certificate Authority). Then your browser will trust certificates issued by
> that CA.

Had to do something along those lines for $WE_BUILD_EXPENSIVE_CARS
recently; they wanted client certificates as an additonal "factor"
to authorize access to an intranet.  These client certificates would
be distributed internally, and only to people with a need for them.

We found to my delight that when I sign such a *client* cert with
their homemade root CA cert and then export it in PKCS-12 format,
the root cert "chain" is part of the package.  Importing that ".p12"
file into a browser automatically adds the root certificate to the
trusted store.  When the client logs on to the SSL-protected intranet,
the *server's* cert (which is of course also signed by the same
homegrown root cert) is trusted.

Had to hit up about five sites to get a coherent recipe for the entire 
process, due to the evolution OpenSSL has gone through over the years.
Guess I ought to write up my findings.

(NICE overview, Ken!)

-- 
A: It's confusing as all get-out.
Q: Why not?
A: No.
Q: Should people routinely put answers above questions?