2Answers

How to create client SSL certificates for staff using CaCert CA?

17.9k Views
  • 10
name Roicado Vidal

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

Asked: Aug 16,2020 In: Ssl
2 Answers
name Roicado Vidal Punditsdkoslkdosdkoskdo
Asked: Aug 16,2020 In: Ssl

How to create client SSL certificates for staff using CaCert CA?

I would like to restrict the access of a homepage using client SSL certificates. The most tutorials on the internet describe it like this:

  1. create own key CA.key
  2. create server key server.key (self-signed)
  3. sign server.key using CA.key
  4. create (multiple) client keys client_xx.key
  5. sign client_xx.key using CA.key

I don't want to self-sign my server key, but use CaCert instead. So I omitted the first step. But when I want to create the client certificates, which key do I need to use? I don't have CaCerts CA.key.

ssl ssl-certificate openssl
name
  • 0
Serralha Encarnado
Serralha Encarnado Added an answer on Aug 16,2020

I'm not absolutely sure, but since nobody else is answering here's my take.

The only entity which is able to sign certificates is a CA. There are different levels of CAs, so you could in theory set up your own CA subordinate to CaCert (and hence have it have its own CA cert signed by CaCert). This would make normal certificates you would be signing participate in the chain of trust of length 3 (rather than two).

From what I gather from this page, it's somehow possible to become a "CACert member" and get what they call "subroot" certificate — this one would allow you to sign your own certificates and make them trusted by anyone trusting the root CACert certificate (provided you also make available the certificate of your subordinate CA in one way or another — for instance, a server using PEM-formatted certificates might use a certificate file which is merely a concatenation of both the server's certificate and the CA certificate in PEM format).

My personal experience with this kind of setup was this: some time ago the xmpp.net federation provided paid-free certificates for any XMPP server whose admin wished to get one. That federation was itself a CA subordinate to StartCom. So after getting my server certificate I needed to tell my server to present both its own cert and the xmpp.net cert in one bundle to make the trust chain complete for its clients as they would usually trust StartCom but not xmpp.net.

  • 0
Reply Report
name
  • 0
Vanja Bjurlén
Vanja Bjurlén Added an answer on Aug 16,2020

You obviously won't get CACert's key as this would spoil the entire system. What you need to create instead is a "certificate signing request" (aka CSR) along with a new private key and send this CSR over to CACert to get it signed (which would give you a valid signed certificate as a result).

If you are using openssl ca for your certificate management, you might be using something like

openssl req -new -key client1.key -out client1.csr

and paste the contents of client1.csr into CACert's certificate request form.

You also should take a look at CACert's documentation on CSR generation which is covering this exact topic in more detail.

  • 0
Reply Report
    • Roicado Vidal Aug 16,2020
      But in this case client1.key would be bound to my personal cacert account/name, wouldn't it? Is this method really appropriate to create signed certificates for other people than only me?
    • Vanja Bjurlén Aug 16,2020
      @salout It would. If you need to have users full control over the certificate management process after the creation, this approach would not work for you unless you provide some interface which proxies through to CACert's management interface using your account data. I am not all too sure about CACert's options of delegating access for a respective users' certificates, so it may well be that they provide a straight solution to your problem, but the more generic way would be to let the users request the certs themselves and have them sent to you for identity linking.

Trending Tags

android android-sqlite updatemodel gps location html css css-selectors
© 2020 ProDevsBlog
0.2787 sec