We have tracked the development of
Eric Young's
SSLeay
package since its first announcement, and we have used it internationally
in customer applications (including online banking) with
OpenUI,
our premier cross-platform client-server (or standalone) development
environment product.
Client Certificates
I present a package of HTML, shell scripts and cgi-bin programs to
allow presentation of a Certifying Authority, with:
- CA certificate installation
- Secure connection to CA server
- Client certificate request forms for Netscape and MSIE,
- Offline certificate signing, notified through mail
- Connection using Client Certificates (MSIE requires SSL3)
Many further features would be desired by a live CA, including:
- Certificate browsing (other than by serial number!)
- Certificate revokation URLs
- A client-cert protected interface for the certifier to sign
requests with.
When used as I do, with Apache and
Ben Laurie's SSLeay
module, you can run a single server with HTTP, HTTPS and HTTPS with
client certificates, and you can issue the certificates yourself.
Unfortunately MSIE only supports client certificates with SSL3, which
at the time I made this package SSLeay didn't yet support (try it though,
it might work although I haven't had time to test it).
Also, if you want to use useful email addresses inside an MSIE certificate,
you'll need SSLeay-0.8.1 (or with 0.6.6, a patched version of SSLeay's "ca"
program which can handle the 32-bit character encoding used by MSIE when,
for example, an email address has an @ sign in it (and when don't they?).
I have patched ca myself, but 0.8.1 does it for you).
The complete package is contained in the following tar file:
You'll need to:
- change the logo image
- change references to "OSA CA",
- change references to "magpie", which is my workstation
- edit the request-client-cert CGI script to change the certifier email
address.
- after running "start-demoCA", make the directories "demoCA/requests"
and "demoCA/requests/processed" writable by your web server,
otherwise the requests can't be saved.
The cgi-bin scripts are installed in the same location as the html
(so configure that), and the demoCA is setup to be in the ServerRoot
directory. The scripts use vanilla UNIX sed, awk, etc so if you're on
Windows NT, you're out of luck. Some folk have rewritten/extended it all
using perl, but I haven't integrated their versions yet, sorry.
I should also integrate the new MSIE certificate enrollment DLL, this
version uses certenr3.dll, the old one (I believe it still works with
MSIE 4).
Acknowledgements are due to many, including mainly Eric Young, Tim Hudson,
and Holger Reif.
Needless to say, this stuff is unsupported, intended for experimentation
only, you get what you paid for and can take any blame yourself :-).
Clifford's Home Page