Working with CA-issued certs

Does anyone know of good, step-by-step guides for people who are
not specialist cryptographers on how to perform the following tasks:

*   Given a certificate issued by a CA, how to import and use it in
    Cryptlib (for securing SSL sessions)? This one may be as
    straightforward as simply calling cryptImportCert, but I'd just like to
    confirm that.

*   How to go through the process of preparing a certificate for signing
    by a commercial CA (such as Verisign or Comodo), in terms of
    what has to be prepared, what form it needs to be in and what
    should be done with the information when it is returned by the CA.
    Once again, this is probably very simple stuff, but IANAC (I am not
    a cryptographer) and am hoping for something that does a bit
    more hand-holding than the Cryptlib manual (a very fine document,
    but also somewhat technical).

I asked questions like this a couple of years ago, and got a quizzical,
"I'm not sure I understand you" sort of response, particularly to the first
question, so I'll clarify a little... Imagine that you're installing a mail
server on a machine where there is already an HTTP server running
for which a certificate has been issued by (for example) Verisign: what
I want to know is what is required to import that certificate into Cryptlib
for use in securing (as an example) POP over SSL... Or can this not
even be done, perhaps?

Sorry if this is basic stuff - I hope someone will humour me.

Cheers!

-- David --

------------------ David Harris -+- Pegasus Mail ----------------------
Box 5451, Dunedin, New Zealand | e-mail: David.Harris@...
           Phone: +64 3 453-6880 | Fax: +64 3 453-6612

Newspaper headlines we wished we'd seen:
   "Psychic pigmy escapes from jail: small medium at large."




_______________________________________________
Cryptlib mailing list
Cryptlib@... via Mail: cryptlib-request@...
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.

"David Harris" <David.Harris@...> writes:

>*   Given a certificate issued by a CA, how to import and use it in
>    Cryptlib (for securing SSL sessions)? This one may be as
>    straightforward as simply calling cryptImportCert, but I'd just like to
>    confirm that.

It's as straightforward as calling cryptImportCert().

>*   How to go through the process of preparing a certificate for signing
>    by a commercial CA (such as Verisign or Comodo), in terms of
>    what has to be prepared, what form it needs to be in and what
>    should be done with the information when it is returned by the CA.
>    Once again, this is probably very simple stuff, but IANAC (I am not
>    a cryptographer) and am hoping for something that does a bit
>    more hand-holding than the Cryptlib manual (a very fine document,
>    but also somewhat technical).

This should be explained in "The Certification Process" on p.145.  The details
of submitting it to the CA aren't covered because it's CA-specific, usually
they either want you to email it to them or paste the base64-encoded form into
a web page, but you'd have to go to your CAs web page to see what it wants.

Peter.

_______________________________________________
Cryptlib mailing list
Cryptlib@... via Mail: cryptlib-request@...
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.

On 14 Aug 2008 at 13:44, Peter Gutmann wrote:

> >*   Given a certificate issued by a CA, how to import and use it in
> >    Cryptlib (for securing SSL sessions)? This one may be as
> >    straightforward as simply calling cryptImportCert, but I'd just like to
> >    confirm that.
>
> It's as straightforward as calling cryptImportCert().

But where do you get the private key from? Presumably there had to
be one during the creation of the certificate, and I imagine that it's not
usually contained in the thing the CA sends back to you.

(Remember, I am not a cryptographer, so this may be a totally inane
comment - if so, I apologize and will boil my head on demand ;-) ).

> This should be explained in "The Certification Process" on p.145.
> The details of submitting it to the CA aren't covered because it's
> CA-specific, usually they either want you to email it to them or
> paste the base64-encoded form into a web page, but you'd have to
> go to your CAs web page to see what it wants.

Thanks Peter. I've just re-read that section of the manual again and
can imagine that by playing around with it for a while, I should
eventually be able to work it out.

Oh, by the way, I liked the "typo" on p148, where you define CMP as
"Certificate Mismanagement Protocol"...  <grin>. Come on, Peter -
don't be shy: tell us what you *really* think of CMP. <even bigger grin>

Thanks again!

Cheers!

-- David --

------------------ David Harris -+- Pegasus Mail ----------------------
Box 5451, Dunedin, New Zealand | e-mail: David.Harris@...
           Phone: +64 3 453-6880 | Fax: +64 3 453-6612

On the menu of an Istanbul Restaurant:
   "Mixed girrl and baked beings."




_______________________________________________
Cryptlib mailing list
Cryptlib@... via Mail: cryptlib-request@...
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.

At 2008-08-14 17:30:16 +1200, David.Harris@... wrote:
>
> > It's as straightforward as calling cryptImportCert().
>
> But where do you get the private key from? Presumably there had to be
> one during the creation of the certificate, and I imagine that it's
> not usually contained in the thing the CA sends back to you.

You should have the key already.

Here's how it works: First, you generate a key pair. Then you generate a
CSR, which contains your public key and some metadata, signed with your
private key. Then you send it to a CA, which signs your public key with
its private key and sends you back the signed public key (certificate).
You call cryptImportCert() to use that certificate as your public key,
and use the private key you generated to begin with.

> (Remember, I am not a cryptographer, so this may be a totally inane
> comment - if so, I apologize and will boil my head on demand ;-) ).

(I'm no cryptographer either, so if I got some details wrong, I'd be
happy to be told to boil my head. I can't promise to actually do it,
though. ;)

-- ams

_______________________________________________
Cryptlib mailing list
Cryptlib@... via Mail: cryptlib-request@...
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.

On 15 Aug 2008 at 6:49, Abhijit Menon-Sen wrote:

> > > It's as straightforward as calling cryptImportCert().
> >
> > But where do you get the private key from? Presumably there had to be
> > one during the creation of the certificate, and I imagine that it's
> > not usually contained in the thing the CA sends back to you.
>
> You should have the key already.

I think you missed the point of my question.

Imagine that you have run up an Apache web server (presumably
using OpenSSL) on a machine, and have gone through the process of
getting a certificate for that server so it can do SSL.

Now imagine that you want to set up a mail server on the *same
machine* (so, the domain name in the certificate is the same), but the
mail server uses Cryptlib. How can you take the certificate that was
issued for the Apache system and import it into Cryptlib?

I've asked this question in a variety of forms over the years, but
nobody ever seems to have quite got what I mean, which suggests to
me that I'm asking to do something that's either not possible or not
sensible, but it seems the height of folly to pay a CA twice for two
certificates for the same system.

I wonder what I'm missing here.

Cheers!

-- David --

------------------ David Harris -+- Pegasus Mail ----------------------
Box 5451, Dunedin, New Zealand | e-mail: David.Harris@...
           Phone: +64 3 453-6880 | Fax: +64 3 453-6612

On the box of a clockwork toy from Hong Kong:
   "Guaranteed to work throughout its useful life."




_______________________________________________
Cryptlib mailing list
Cryptlib@... via Mail: cryptlib-request@...
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.

David Harris wrote:
So you have an OpenSSL private key and certificate, and you want
to import them both into Cryptlib?

http://www.oryx.com/ams/pemtrans.html looks promising (based just
on that page, I haven't downloaded it and looked at the manual).

This leaves the possible question "where does Apache store its
private key PEM file". Someone here might know, otherwise check
the Apache documentation or grep for a file with the strings
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
or
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----

(See also http://www.openssl.org/docs/apps/pkcs8.html)

Of course if you are using the OpenSSL PKCS#11 engine and your
keys are actually in a hardware HSM things get trickier - or
maybe easier if you can just tell Cryptlib to use the same
PKCS#11 device.

--
ALAN BRAGGINS
Senior Software Engineer

nCIPHER
+44 1223 723600
http://www.ncipher.com

_______________________________________________
Cryptlib mailing list
Cryptlib@... via Mail: cryptlib-request@...
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.

At 2008-08-15 14:45:44 +1200, David.Harris@... wrote:
>
> I think you missed the point of my question.

I'm sorry.

> Imagine that you have run up an Apache web server (presumably using
> OpenSSL) on a machine, and have gone through the process of getting
> a certificate for that server so it can do SSL.

OK. So you have your private key in a .key file, and your public key
got signed by the CA and returned to you as a .crt file. Right?

> Now imagine that you want to set up a mail server on the *same
> machine* (so, the domain name in the certificate is the same), but the
> mail server uses Cryptlib. How can you take the certificate that was
> issued for the Apache system and import it into Cryptlib?

The certificate can be imported with cryptImportCert().

The private key is in an undocumented OpenSSL-specific format, which
cryptlib does not attempt to support. I think this is in the cryptlib
FAQ somewhere.

I wrote a program called pemtrans to take an OpenSSL .key file and a
certificate and write them to a cryptlib key file. I won't discuss it
further here; I gather Peter does not approve of it, because it's bad
practice to keep your private key in multiple places/forms. I cannot
disagree, but in my (cryptlib-based) application, compatibility with
OpenSSL key/crt files is essential.

(Google knows. Write to me off-list if you want to discuss it further.)

> I've asked this question in a variety of forms over the years, but
> nobody ever seems to have quite got what I mean, which suggests to
> me that I'm asking to do something that's either not possible or not
> sensible, but it seems the height of folly to pay a CA twice for two
> certificates for the same system.

The question seems perfectly sensible to me, so I hope I haven't missed
your point once again.

-- ams

_______________________________________________
Cryptlib mailing list
Cryptlib@... via Mail: cryptlib-request@...
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.