Re: OpenSSL help required (174 Views)
Reply
Advisor
msbinu
Posts: 36
Registered: ‎04-26-2006
Message 1 of 6 (174 Views)

OpenSSL help required

Hi,

I m very new to SSl and I have been asked to setup a client server communication using SSL.

I m trying to write my program using openssl libraries .
MY questions are on the certificate generation using open ssl.
What is the procedure to generate certificate ?
DO we have to write seperate code to generate certificate ?
Do client and server need seperate certificates?
Do we have to always generate certificate or if we can use the same certificate always ?

I know that these questions are very basic one.
but I m completely ignorant about SSL.
ANy help will be greatly appreciated .

Regards
Binu
Honored Contributor
Arunvijai_4
Posts: 4,194
Registered: ‎04-07-2005
Message 2 of 6 (174 Views)

Re: OpenSSL help required

Hi Binu,

Q) What is the procedure to generate certificate ?
A) You can use "openssl" utility to generate certificates.

Example : openssl req -new -x509 -extensions v3_ca -keyout \
private/cakey.pem -out cacert.pem -days 365 -config ./openssl.cnf


Q) DO we have to write seperate code to generate certificate ?

A) You can use Openssl tool for this. No need to write separate app.

Q)Do client and server need seperate certificates?

A) It depends on which way you prefer.

Q) Do we have to always generate certificate or if we can use the same certificate always ?

A) You can use the same certificate till it expries.

Some links,
http://www.openssl.org
http://www.flatmtn.com/computer/Linux-SSLCertificates.html#SSLCert-5
http://www.pseudonym.org/ssl/ssl_cook.html

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
Exalted Contributor
Steven E. Protter
Posts: 33,806
Registered: ‎08-15-2002
Message 3 of 6 (174 Views)

Re: OpenSSL help required

Shalom Binu,

What is the procedure to generate certificate ?
http://www.google.com/url?sa=t&ct=res&cd=1&url=http%3A%2F%2Fslacksite.com%2Fapache%2Fcertificate.htm...
Certificate cookbook:
http://www.google.com/url?sa=t&ct=res&cd=2&url=http%3A%2F%2Fwww.pseudonym.org%2Fssl%2Fssl_cook.html&...
DO we have to write seperate code to generate certificate ?
No.
Do client and server need seperate certificates?
Client needs nothing. They will be prompted to accept the server certificate at first login, depending on connection method.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Advisor
msbinu
Posts: 36
Registered: ‎04-26-2006
Message 4 of 6 (174 Views)

Re: OpenSSL help required

Thanks alot Arun,
SOme more doubts .

I didnt understand what you meant by expiry of the certificate .

Also i m still confused about the certificate generation .
The example whch you have given is to be done from our code???
Please remember that I m not using https .
I m trying to implement a client -server socket communication

Binu
Advisor
msbinu
Posts: 36
Registered: ‎04-26-2006
Message 5 of 6 (174 Views)

Re: OpenSSL help required

Hi Arun,Steven

Please note that I dont have any apache or some thing like that .
I have to implement SSL using C++

Regards
Binu
Honored Contributor
Arunvijai_4
Posts: 4,194
Registered: ‎04-07-2005
Message 6 of 6 (174 Views)

Re: OpenSSL help required

Hi Binu,

Q) I didnt understand what you meant by expiry the certificate .

When you generate a certificate, openssl req -new -x509 -extensions v3_ca -keyout \
private/cakey.pem -out cacert.pem -days 365 -config ./openssl.cnf

You specify "-days". In this example, i have given expiry as "365" days. You can specify your own time. Note that, ceriticate will expire after one year and you need to re-generate it.

Also i m still confused about the certificate generation .
The example whch you have given is to be done from our code???

Yes, you can create with any C/C++ program using Openssl utility.

-Arun

P.S Remember to assign points.
"A ship in the harbor is safe, but that is not what ships are built for"
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.