WebApp Sec: RE: Open Source Certificate authority

["Chip Kelly" <Chip.Kelly () sas com>]

The only way to prevent an authentication challenge in a browser is to use a certificate that is vetted to a trusted 
root certificate previously installed in the browser. That's what Verisign is selling for $250, a certificate that will 
not be challenged by almost any web browser in use on the Internet. To replace the Verisign cert, and still avoid the 
authentication challenge, you will need to use a certificate that is similarly vetted to a previously installed trusted 
root cert. There are other vendors with similar coverage to Verisign (Baltimore, Entrust, Valicert, etc.) that also 
sell SSL certs for a little more than half of what Verisign charges. If you choose to use your own CA, whether its MSFT 
or openSSL, you will not be able to avoid the authentication challenge until you vet your root certificate with one of 
the trusted root certificates that are already loaded into the browser that your client will use to access your site or 
application. That process is costly, since
you are then able to generate an unlimited number of certs, all vetted to a root certificate that is recognized and 
trusted. 

chip
----
Chip Kelly, GCIA, GCIH, CISSP
Systems and Information Security Manager
SAS Institute Inc.
Chip.Kelly () sas com      RA462
voice:  919-531-7033    fax:919-677-4444
mobile: 919-606-8230 pager: 919-503-7816       




-----Original Message-----
From: Tenorio, Leandro [mailto:ltenorio () intelaction com] 
Sent: Tuesday, September 23, 2003 1:12 PM
To: Jared Ingersoll; sectools () securityfocus com; webappsec () securityfocus com
Subject: RE: Open Source Certificate authority


U will receive a warning message unless u use a truhtfully certicate autority like verisign. On the other hand if you 
install the certificate created with any product the first time u use, u will never receive a warning message again.



-----Original Message-----
From: Jared Ingersoll [mailto:jared () cswv com] 
Sent: Tuesday, September 23, 2003 1:11 PM
To: 'sectools () securityfocus com'; 'webappsec () securityfocus com'
Subject: RE: Open Source Certificate authority

Thanks for all of the useful info. Let me narrow my request one step more so I don't spend any time installing and 
configuring something that does not work.  The point of using an alternate Certificate Authority is to mimic the exact 
communication between the client and server. Our application has an interface to it that 3rd parties develop their own 
tools to utilize. These tools are not browsers. Anything like a certificate warning for the certificate authority, 
mismatch domain name or (expiration) will cause the exchange of information to fail (or error out). The automated tools 
we use in testing behave the same. So to
clarify:

1. Is there an app that anyone is familiar with that will duplicate Verisign's Certificate Authority in a way that 
would eliminate any type of warning. (It seems like apache and openssl are out). 2. Does freshmeats.com's CAtool, MS 
Cert Authority, or any other software supply certificates that would not present any warning message?

Thanks again!

Jared

-----Original Message-----
From: Don Fike [mailto:fike () cs utk edu]
Sent: Tuesday, September 23, 2003 11:08 AM
To: Jared Ingersoll
Cc: 'sectools () securityfocus com'; 'webappsec () securityfocus com'
Subject: Re: Open Source Certificate authority



You can try using openssl;

http://www.openssl.org/docs/HOWTO/keys.txt

http://www.openssl.org/docs/HOWTO/certificates.txt



On Tue, 23 Sep 2003, Jared Ingersoll wrote:

> Hi Folks,
>
> I am looking for an open source or freely available tool (and/or
> documentation) that I can use to create 40-bit https certificates to
> use
in
> conjunction with iPLanet 6 (SunOne) enterprise servers on SunOS. We
> currently are in the middle of a project of creating a QA environment
where
> we need to duplicate several sites served over https. Obviously, these
certs
> will need to work with common browsers such as IE and Netscape.
> Currently
we
> use verisign to create these certs, but at $250 a pop, the cost adds
> up quickly. I'm open to any unix variant or MS platform.
>
>
> gracias,
> jared