[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Gnumed-devel] re gnu argus postgres port
From: |
Syan Tan |
Subject: |
Re: [Gnumed-devel] re gnu argus postgres port |
Date: |
Mon, 20 Jun 2005 00:14:47 +0800 |
>Agree that would be fantastic, but a version of Argus which supported
>non-HeSA X.509 PKis would also be good. If teh HIC libraries are based
>on OpenSSL, it may be possible to write a thin wrapper around OpenSSL to
> emulate the HIC libraries (which are probably just a thing wrapper
>themselves).
>
I was wondering how to approach certificate chains.
The standard java api for their standard keyStore class is
keyStore.storeKeyEntry( privateKey, certificateChain, password)
a certificate chain being an ordered array of type Certificate[].
openssl allows one to generate self signing certificates
openssl req -newkey rsa:1024 -outkey a_privkey.pem -out req.pem
This asks the module req , to generate a public/private 1024 rsa key,
with the private key stored in the file a_privkey.pem and the
public key stored in the certificate request req.pem .
then
openssl x509 -req -in req.pem -signkey a_privkey.pem -out ca_cert.pem
this asks module x509, to accept a request (-req), with the request file req.pem
(-in), signing with it's own private key, thus making it self signed,
and outputting a self signed certificate, calling itself ca_cert.pem.
Any self signing certificate can be a CA certificate , if accepted as one, I
suppose.
then , say I've got my certificate request with public key and private key file,
openssl req -newkey rsa:1024 -outkey my_privkey.pem -out my_cert.req.pem
I get my copy of a CA certificate to sign it, ( and being the CA cert owner,
I've
got the private CA key to do the signing ),
openssl x509 -CA ca_cert.pem -CAkey a_privkey.pem /
-in my_cert.req.pem -out my_cert.pem
(note my_privkey.pem isn't needed, as it is private, and not used for signing
yet)
I can look at my cert
openssl x509 -in my_cert.pem -text
And it shows the details of the ca certificate issuer, but I'm not sure how
you would get a copy, except by requesting one via email.
So if you now want to save you private key , my_privkey.pem , along
with the certificate, my_cert.pem , you also seem to need
a copy of ca_cert.pem , is that correct ?
-in order to use the standard java keystore api.
keyStore.storeKeyEntry( getPrivateKey(my_privkey.pem),
getCertificates(my_cert.pem, ca_cert.pem), password )
Looking at the mozilla certificate manager, it looks like you can
import self-signing certificates and make them as a collection
of self-signed CA certificates , stored inside an application certificate store.
So would you probably need a similiar feature for argus ?
(you could use the same key/certificate store, to construct the 2-certificate
chains,
and store the ca certificate,
and the generated public certificate that matches the local private key being
stored ) .
This seems awkward, so I was wondering if anyone could fill me in on how it's
supposed to be done.
- Re: [Gnumed-devel] re gnu argus postgres port, (continued)
- Re: [Gnumed-devel] re gnu argus postgres port, Syan Tan, 2005/06/17
- Re: [Gnumed-devel] re gnu argus postgres port, Syan Tan, 2005/06/17
- Re: [Gnumed-devel] re gnu argus postgres port, Tim Churches, 2005/06/17
- Re: [Gnumed-devel] re gnu argus postgres port, Syan Tan, 2005/06/17
- Re: [Gnumed-devel] re gnu argus postgres port, Tim Churches, 2005/06/17
- Re: [Gnumed-devel] re gnu argus postgres port,
Syan Tan <=