gnumed-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnumed-devel] re gnu argus postgres port


From: Syan Tan
Subject: Re: [Gnumed-devel] re gnu argus postgres port
Date: Mon, 20 Jun 2005 00:14:47 +0800


>Agree that would be fantastic, but a version of Argus which supported
>non-HeSA X.509 PKis would also be good. If teh HIC libraries are based
>on OpenSSL, it may be possible to write a thin wrapper around OpenSSL to
> emulate the HIC libraries (which are probably just a thing wrapper
>themselves).
>

I was wondering how to approach certificate chains. 
The standard java api for their standard keyStore class is

keyStore.storeKeyEntry(  privateKey, certificateChain, password)

a certificate chain being an ordered array of type Certificate[]. 

openssl allows one to generate self signing certificates

openssl req -newkey rsa:1024 -outkey a_privkey.pem -out req.pem

This asks the module req , to generate a public/private 1024 rsa key,  
with the private key stored in the file a_privkey.pem and the 
public key stored in the certificate request req.pem .

then 

openssl x509 -req  -in req.pem -signkey a_privkey.pem -out ca_cert.pem

this asks module x509, to accept a request (-req), with the request file req.pem
(-in),   signing with it's own private key, thus making it self signed, 
and outputting a self signed certificate,   calling itself ca_cert.pem.
Any self signing certificate can be a CA certificate , if accepted as one, I 
suppose.

then , say I've got my certificate request with public key and private key file,

openssl req -newkey rsa:1024 -outkey my_privkey.pem -out my_cert.req.pem

I get my copy of a CA certificate to sign it, ( and being the CA cert owner, 
I've
got the private CA key to do the signing ),

openssl x509 -CA ca_cert.pem -CAkey a_privkey.pem /
    -in my_cert.req.pem -out my_cert.pem

(note my_privkey.pem isn't needed, as it is private, and not used for signing 
yet) 

I can look at my cert

openssl x509 -in my_cert.pem -text

And it shows the details of the ca certificate issuer, but I'm not sure how
you would get a copy, except by requesting one via email. 

So if you now want to save you private key , my_privkey.pem , along 
with the certificate, my_cert.pem ,  you also seem to need
a copy of ca_cert.pem  , is that correct ?

-in order to use the standard java keystore api.

keyStore.storeKeyEntry( getPrivateKey(my_privkey.pem), 
getCertificates(my_cert.pem, ca_cert.pem), password )  


Looking at the mozilla certificate manager, it looks like you can
import self-signing certificates and make them as a collection 
of self-signed CA certificates , stored inside an application certificate store.
So  would you probably need a similiar feature for argus ? 
(you could use the same key/certificate store, to construct the 2-certificate
chains, 
and store the ca certificate,
 and the generated public certificate that matches the local private key being
stored ) .

This seems awkward, so I was wondering if anyone could fill me in on how it's 
supposed to be done.



 








  






 











reply via email to

[Prev in Thread] Current Thread [Next in Thread]