• 10

I would like to restrict the access of a homepage using client SSL certificates. The most tutorials on the internet describe it like this:

  1. create own key CA.key
  2. create server key server.key (self-signed)
  3. sign server.key using CA.key
  4. create (multiple) client keys client_xx.key
  5. sign client_xx.key using CA.key

I don't want to self-sign my server key, but use CaCert instead. So I omitted the first step. But when I want to create the client certificates, which key do I need to use? I don't have CaCerts CA.key.

I'm not absolutely sure, but since nobody else is answering here's my take.

The only entity which is able to sign certificates is a CA. There are different levels of CAs, so you could in theory set up your own CA subordinate to CaCert (and hence have it have its own CA cert signed by CaCert). This would make normal certificates you would be signing participate in the chain of trust of length 3 (rather than two).

From what I gather from this page, it's somehow possible to become a "CACert member" and get what they call "subroot" certificate — this one would allow you to sign your own certificates and make them trusted by anyone trusting the root CACert certificate (provided you also make available the certificate of your subordinate CA in one way or another — for instance, a server using PEM-formatted certificates might use a certificate file which is merely a concatenation of both the server's certificate and the CA certificate in PEM format).

My personal experience with this kind of setup was this: some time ago the xmpp.net federation provided paid-free certificates for any XMPP server whose admin wished to get one. That federation was itself a CA subordinate to StartCom. So after getting my server certificate I needed to tell my server to present both its own cert and the xmpp.net cert in one bundle to make the trust chain complete for its clients as they would usually trust StartCom but not xmpp.net.

  • 0
Reply Report

You obviously won't get CACert's key as this would spoil the entire system. What you need to create instead is a "certificate signing request" (aka CSR) along with a new private key and send this CSR over to CACert to get it signed (which would give you a valid signed certificate as a result).

If you are using openssl ca for your certificate management, you might be using something like

openssl req -new -key client1.key -out client1.csr

and paste the contents of client1.csr into CACert's certificate request form.

You also should take a look at CACert's documentation on CSR generation which is covering this exact topic in more detail.

  • 0
Reply Report
    • But in this case client1.key would be bound to my personal cacert account/name, wouldn't it? Is this method really appropriate to create signed certificates for other people than only me?
    • @salout It would. If you need to have users full control over the certificate management process after the creation, this approach would not work for you unless you provide some interface which proxies through to CACert's management interface using your account data. I am not all too sure about CACert's options of delegating access for a respective users' certificates, so it may well be that they provide a straight solution to your problem, but the more generic way would be to let the users request the certs themselves and have them sent to you for identity linking.

Warm tip !!!

This article is reproduced from Stack Exchange / Stack Overflow, please click

Trending Tags