Hi Gyu, So as i get this all right, i have to do the following on the server: generate the certificate for the CA: *openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf *Create the server certificate and sign a certificate for the server: *openssl req -nodes -new -x509 -keyout serverkey.pem -out serverreq.pem -days 365 -config openssl.cnf openssl x509 -x509toreq -in serverreq.pem -signkey serverkey.pem -out tmp.pem openssl ca -config openssl.cnf -policy policy_anything -out servercert.pem -infiles tmp.pem * On the Client: Copy *cacert.pem* from the server to the client Create a client certificate: *openssl req -nodes -new -x509 -keyout clientkey.pem -out clientreq.pem -days 365 -config openssl.cnf openssl x509 -x509toreq -in clientreq.pem -signkey clientkey.pem -out tmp.pem openssl ca -config openssl.cnf -policy policy_anything -out clientcert.pem -infiles tmp.pem *And than just link the cacert.pem and in the ca.d put the servercert.pem file ? And on the Server site copy the clientcert.pem file to ca.d ? Kind regards Ivan On 01/15/2016 11:42 AM, PÁSZTOR György wrote:
Hi,
"Ivan Adji - Krstev" <akivanradix@gmail.com> írta 2016-01-15 11:18-kor:
You mean the cacert.pem or the servercert.pem ? and vice versa ? The servercert.pem is the cert pair for the key what the server has. The (server)cert is the "public" part of the key, and the key file is the private part. The servercert is signed with the cacert. As far as I saw your example, you defined different CA for signing the servercert, and do that separately to sign the client's cert. So the ca, what you have created to sign the server's csr (so, after the signing it become a cert), is the one which should be published to the client side ca dir. So when the tls handshake happens, the client sees that whups, here is a server cert. Cheks in the cert the issuer's fingerprint. Based on the fingerprint it will find the CA's cert in it's local ca dir. Check if that signature is valid, and client is happy. The same will happen on the server side simmetrically: The client will show up its own cert. The server sees, it is signed with the other ca. (The one, which you used to sign the client cert.) Based on the fingerprint, it start to check if it is available in its ca dir. If you install that there, and the appropriate symlink is also available, then it will also find that ca cert. It will check if the client certificate is valid. It will be. Both side will be happy, and communicate gladly inside an encrypted channel.
Was this description clear?
Kind regards, Gyu ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq