Crypto Software - Clifford Heath

Home Page
We have tracked the development of Eric Young's SSLeay package since its first announcement, and we have used it internationally in customer applications (including online banking) with OpenUI, our premier cross-platform client-server (or standalone) development environment product.

Client Certificates

I present a package of HTML, shell scripts and cgi-bin programs to allow presentation of a Certifying Authority, with: Many further features would be desired by a live CA, including:

When used as I do, with Apache and Ben Laurie's SSLeay module, you can run a single server with HTTP, HTTPS and HTTPS with client certificates, and you can issue the certificates yourself. Unfortunately MSIE only supports client certificates with SSL3, which at the time I made this package SSLeay didn't yet support (try it though, it might work although I haven't had time to test it). Also, if you want to use useful email addresses inside an MSIE certificate, you'll need SSLeay-0.8.1 (or with 0.6.6, a patched version of SSLeay's "ca" program which can handle the 32-bit character encoding used by MSIE when, for example, an email address has an @ sign in it (and when don't they?). I have patched ca myself, but 0.8.1 does it for you).

The complete package is contained in the following tar file:

Client Certificate Archive

You'll need to:

The cgi-bin scripts are installed in the same location as the html (so configure that), and the demoCA is setup to be in the ServerRoot directory. The scripts use vanilla UNIX sed, awk, etc so if you're on Windows NT, you're out of luck. Some folk have rewritten/extended it all using perl, but I haven't integrated their versions yet, sorry.

I should also integrate the new MSIE certificate enrollment DLL, this version uses certenr3.dll, the old one (I believe it still works with MSIE 4).

Acknowledgements are due to many, including mainly Eric Young, Tim Hudson, and Holger Reif. Needless to say, this stuff is unsupported, intended for experimentation only, you get what you paid for and can take any blame yourself :-).

Clifford's Home Page