Hi Gyu,
So as i get this all right, i have to do the following on the server:
generate the certificate for the CA:
openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf
Create the server certificate and sign a certificate for the server:
openssl req -nodes -new -x509 -keyout serverkey.pem -out serverreq.pem -days 365 -config openssl.cnf
openssl x509 -x509toreq -in serverreq.pem -signkey serverkey.pem -out tmp.pem
openssl ca -config openssl.cnf -policy policy_anything -out servercert.pem -infiles tmp.pem

On the Client:
Copy cacert.pem from the server to the client
Create a client certificate:
openssl req -nodes -new -x509 -keyout clientkey.pem -out clientreq.pem -days 365 -config openssl.cnf
openssl x509 -x509toreq -in clientreq.pem -signkey clientkey.pem -out tmp.pem
openssl ca -config openssl.cnf -policy policy_anything -out clientcert.pem -infiles tmp.pem
And than just link the cacert.pem and in the ca.d put the servercert.pem file ?


And on the Server site copy the clientcert.pem file to ca.d ?

Kind regards
Ivan

On 01/15/2016 11:42 AM, PÁSZTOR György wrote:
Hi,

"Ivan Adji - Krstev" <akivanradix@gmail.com> írta 2016-01-15 11:18-kor:

You mean the cacert.pem or the servercert.pem ? and vice versa ?

The servercert.pem is the cert pair for the key what the server has.
The (server)cert is the "public" part of the key, and the key file is the
private part.
The servercert is signed with the cacert. As far as I saw your example, you
defined different CA for signing the servercert, and do that separately to
sign the client's cert.
So the ca, what you have created to sign the server's csr (so, after the
signing it become a cert), is the one which should be published to the
client side ca dir.
So when the tls handshake happens, the client sees that whups, here is a
server cert. Cheks in the cert the issuer's fingerprint.
Based on the fingerprint it will find the CA's cert in it's local ca dir.
Check if that signature is valid, and client is happy.
The same will happen on the server side simmetrically:
The client will show up its own cert.
The server sees, it is signed with the other ca. (The one, which you used
to sign the client cert.)
Based on the fingerprint, it start to check if it is available in its ca
dir.
If you install that there, and the appropriate symlink is also available,
then it will also find that ca cert. It will check if the client
certificate is valid.
It will be.
Both side will be happy, and communicate gladly inside an encrypted
channel.

Was this description clear?

Kind regards,
Gyu
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq