This is a discussion on RE: Generating keys to be used in a specific implementation - Openssl ; > I have an desktop/server agent that listen for TCP connections to > process some information. And now i´m trying to implement privacy > and authentication to this application, to unsure that only my > trusted application interact with these ...
> I have an desktop/server agent that listen for TCP connections to
> process some information. And now i´m trying to implement privacy
> and authentication to this application, to unsure that only my
> trusted application interact with these TCP agents.
> Another problem is that I'm not sure if It really needs a
> self-signed certificate to authenticate the clients in a scenario
> that is already implemented a method with fixed pair of private keys.
> Someone could help me in this objective?
> Examples, articles and documentations will be apreciated.
Since you have complete control over both ends (right?) then you can just
generate keys and certificates following any web page and then hard code
each side to check for the key it's expecting from the other side.
You can generate a key with 'openssl genrsa -out key.pem 1024'. You can
generate a self-signed certificate by following the instructions:
If you are 100% sure both ends will always be trusted, you can simply
include the server certificate, client certificate, and client key in the
client. You include the client certificate, client key, and server
certificate in the server. Then just confirm that the other side is using
the proper certificate.
Note that this means compromising one client compromises them all.
It's more complex, but arguably, the right approach is to create your own
CA. Issue a client to the server with a common name the clients check for.
Issue each client its own certificate for a different key with a different
common name. This will mean that compromising one client doesn't compromise
them all and will also allow the server to securely determine what client
it's talking to.
This will also require less specialized coding, since you can simply hard
code the CA's certificate in the client and server, and then they don't need
any special code to recognize the clients -- just tell OpenSSL that our CA
certificate is the only CA.
If you choose to go that way:
OpenSSL Project http://www.openssl.org
User Support Mailing List firstname.lastname@example.org
Automated List Manager email@example.com