Chaining x.509 certificates

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I'm fairly new to x.509 certificates, etc.  Please forgive a novice

I work for a software development organization.  We've used a Verisign
x.509 certificate (via keytool and jarsigner) to sign our jars before
they get shipped to customers for a few years.  Now we're going to be
shipping a new product enhancement that uses https for security.

It looks like, with https, our customer will need their own x.509
certificate.  They can, of course generate their own self-signed
certificate, or get one from Verisign, et al.

I'm wondering if there is a third option.  For us to create a
sub-certificate off of our current one.

After digging through keytool and a whole pile of stuff on Google for a
day (and barely scratching the surface), I still have not figured out
the magical step of chaining a x.509 certificate.  Keytool refers to
importing a chained certificate from the CA, but nothing about how the
CA creates it.

I suppose, if it were easy, Verisign would quickly go out of business

Any suggestions or references would be greatly appreciated.

Re: Chaining x.509 certificates

Quoted text here. Click to load it
The real question is whether your https protocol requires mutual
That is, do you require that each client identify themselves with a
public/private key challenge.
If not, you only need a certificate for your servers. They need to identify
themselves to the
client, but not the other way around.

A chained certificate is when one CA certifies another one as a CA and not a
user. It has
some extra bits turned on in the certificate if this is so.  Verisign
typically only signs CA certificates
for themselves and for users. You cannot "properly" sign a CA certificate
with a user's certificate
(as far as the certificate validation software is concerned).


----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==---- The #1 Newsgroup Service in the World! >100,000
---= East/West-Coast Server Farms - Total Privacy via Encryption =---

Re: Chaining x.509 certificates

Our web app uses a challenge/retort process to validate the user, so
it's just the server side that needs the certificate.

Re: Chaining x.509 certificates napisaƂ(a):
Quoted text here. Click to load it

If your user group is small, you can generate your own self-signed root
certificate (and key), and then generate certificates for your customers
using tools like OpenSSL (see the thread "Certificate Management Tools",
originated by TC on April 27, 18:35). You have to load your root
certificate into your customer's trusted certificate repositories to
avoid browser warnings.

Quoted text here. Click to load it

A certificate contains extensions describing its allowed uses. The
certificate you got from Verisign probably doesn't allow
subcertification or issuing CRLs. So the software validating certificate
chain _should_ at least issue warnings on this.

Quoted text here. Click to load it

An answer by Ann & Lynn Wheeler to the post mentioned above lists many
references on this subject.


Re: Chaining x.509 certificates

Thanks for the references.  I had looked at them, but not all the way
to the last one ( ) that really covered
what I needed.

One piece I'm still missing.  How to import our current cert into
openssl.  I assume we need to make it into a .pem?  If I try to read
it, I get several errors like:

$  openssl x509 -noout -fingerprint -in  cert.cer
unable to load certificate
4824:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
4824:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
4824:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested
asn1 error:tasn_dec.c:566:Field=cert_info, Type=X509
4824:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1

What format would a varisign certificate be in.  It begins with
-----BEGIN CERTIFICATE----- and is in base64 format.

Re: Chaining x.509 certificates

Aaah, found that if I do an export of the certificate with keytool, I
can read it.  Can't seem to find the private key in there anywhere

Site Timeline