Yes, the great majority of applications need the ability to build the 'trust chain' from the end-entity certificate (in this case, the cert used on the client app) to the trust anchor (the 'root' cert).
In many cases, Root CAs are maintained in an 'offline' state in order to provide an additional level of protection to the Root CA signing key - in those instances, an online Subordinate CA is created (signed by the Root CA) in order to issue the end-entity certificates. If you create this type of multi-tiered PKI, you'll need to install both the Root CA certificate as well as the Subordinate CA (leaf) certificate to the application in order to build the chain from the end-entity cert.
Cheers,
Bill
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Erki Männiste
Sent: 04 July 2012 18:38
To: security-basics (at) securityfocus (dot) com [email concealed]
Subject: Validating SSL certificates
Hi
We are developing a software and it is going to be used offline. We have to somehow check if the userâ??s licence is still valid and for that, we have decided to use X.509 certificates. So we would create a self-signed root CA and inherit client certificates from that certificate. So in our program we are able to check if the client cert is still valid (expiration date attributes) and also that the client cert is a leaf of our root CA. My first question is â?? is it enough, moreover, is it a good idea?
Iâ??ve been googeling around the internet but i have not found a good source that explains the magic behind this in less than 100 pages. So i ask some more questions :
a) do i have to include the root CA also to the program to verify the chain or does the client certificate somehow know who's it's root CA, so i could only hardcode the root CA's thumbprint for verification?
b) if i need the root CA, do i have to install it to certificate store to perform the validation or can i just use it? It really wouldn't be a problem to store as a line of bytes to the database (without primary key), but the less the better. I ask this because my validation code failed, when the root CA was not in trusted root store, but passed when it was. Perhaps my code was wrong.
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
Yes, the great majority of applications need the ability to build the 'trust chain' from the end-entity certificate (in this case, the cert used on the client app) to the trust anchor (the 'root' cert).
In many cases, Root CAs are maintained in an 'offline' state in order to provide an additional level of protection to the Root CA signing key - in those instances, an online Subordinate CA is created (signed by the Root CA) in order to issue the end-entity certificates. If you create this type of multi-tiered PKI, you'll need to install both the Root CA certificate as well as the Subordinate CA (leaf) certificate to the application in order to build the chain from the end-entity cert.
Cheers,
Bill
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Erki Männiste
Sent: 04 July 2012 18:38
To: security-basics (at) securityfocus (dot) com [email concealed]
Subject: Validating SSL certificates
Hi
We are developing a software and it is going to be used offline. We have to somehow check if the userâ??s licence is still valid and for that, we have decided to use X.509 certificates. So we would create a self-signed root CA and inherit client certificates from that certificate. So in our program we are able to check if the client cert is still valid (expiration date attributes) and also that the client cert is a leaf of our root CA. My first question is â?? is it enough, moreover, is it a good idea?
Iâ??ve been googeling around the internet but i have not found a good source that explains the magic behind this in less than 100 pages. So i ask some more questions :
a) do i have to include the root CA also to the program to verify the chain or does the client certificate somehow know who's it's root CA, so i could only hardcode the root CA's thumbprint for verification?
b) if i need the root CA, do i have to install it to certificate store to perform the validation or can i just use it? It really wouldn't be a problem to store as a line of bytes to the database (without primary key), but the less the better. I ask this because my validation code failed, when the root CA was not in trusted root store, but passed when it was. Perhaps my code was wrong.
Thanks
erki
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------
[ reply ]