Re: Another angle... Client Authentication with SSL? -- MIDRANGE-L

I am running the client application making the request to
the server.

The server is using client authentication.

The people running the server sent us their public
(personal) key.

We created a private client key.

I've set up my client application to trust all these keys.

There is no way that I can find to import the private
client key so that I can assign it to my client
application.  It won't let me import it into the
server/client store because it says there's no request
associated with the key when I try to import it.  I can
import it into the CA store.

But I can tell my app to "trust" the both certs when they
are in the CA store.

We're missing something in this equation because our
handshake is failing.  What piece, not sure.  That's the
problem.  

Brad


On Tue, 13 Jan 2004 14:29:41 -0600
 Patrick Botz <botz@xxxxxxxxxx> wrote:
> 
> Brad,
> 
> You need to associated the CA certificate that signed the
> client
> certificate with the application that is going to accept
> those certifictes.
> This is done through DCM.  You don't need the whole
> certificate stored on
> the OS/400 side. This depends on the application that is
> going to accept
> the certificate though. If you are doing client
> authentication with a web
> server application, then you can match certain pieces of
> the certificate.
> The system validates the cert and ensures it is siged by
> a CA trusted by
> the applicaiton. The application, in this case the HTTP
> server, can then
> choose to trust certificates that match info that is part
> of the DN in the
> cert and/or just the issuer of the cert (i.e. the CA that
> signed it).
> 
> Alternatively you can choose to trust specific
>  certificates, etc.
> 
> Some of the certificate matching function is dependent of
> the application
> you're using. If you're writing your own app, the APIs
> exist that allow you
> to do any kind of matching.
> 
> Hope this helps
> 
> Patrick Botz
> Senior Technical Staff Member
> eServer Security Architect
> (507) 253-0917, T/L 553-0917
> email: botz@xxxxxxxxxx
> 
> 
> 
> 
> <snip>
> I think the biggest problem understand this is when and
> where do we install certificates, and who creates them.
>  It
> sounds like, in your description, either the client
> creates
> a cert to validate itself to the server on the fly, or
> prior to communications the server must install a cert
> provided by the client for authentication, as well as the
> client machine installing a cert from the server.
> 
> See, even that sounds confusing.  :)  See where I'm going
> with this?  In this case, myself, the client, has
> installed
> a cert provided by the server side.  That's it.  Should
> there be more setup?
> </snip>
> _______________________________________________
> This is the Midrange Systems Technical Discussion
> (MIDRANGE-L) mailing list
> To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit:
> http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the
> archives
> at http://archive.midrange.com/midrange-l.
> 
> 
> 
> 
> 
> _______________________________________________
> This is the Midrange Systems Technical Discussion
> (MIDRANGE-L) mailing list
> To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit:
> http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the
> archives
> at http://archive.midrange.com/midrange-l.
> 

Bradley V. Stone
BVS.Tools
www.bvstools.com