Comments on: HTTPS Using Server-Client Certificate Pair (1): Generate & Sign by OpenSSL

By: Arif

Arif — Wed, 18 Sep 2013 14:46:53 +0000

Yes, you need the "server-guy" to sign it for you using the key that he only keep for himself. This is a concept of security where the other party is not given the key (private).

By: rik

rik — Wed, 18 Sep 2013 12:48:21 +0000

I have read many articles on ssl. Still confused because nobody says “who does what”.

Lets say there is a serverguy and a clientguy. Does the serverguy generate the client certificate and give it to the clientguy???

I am trying to connect to a ssl server of which I have no ability to manipulate other than read the output of openssl s_client commands.

I know I need a client certificate. I can not figure out how I can generate a client certificate. Do I need to ask the serverguy for a client certificate? or can I generate a client certificate (me being the clientguy) without ANY help from the serverguy?

By: Arif

Arif — Thu, 22 Aug 2013 15:52:59 +0000

For some items of the config e.g. “certificate, private_key, default_days, default_md” they’re obviously the same for client. That’s why we can say that it is a client for a specific server.

For other things, we only provide default-values so that in the interactive process of creating certificate we don’t have to retype if they’re the same (just press enter to accept the default value offered by the config) e.g. the client countryName is the same as the server.
(This comes handy when I only trying things out: no need to retype everything)

By: Tamer

Tamer — Wed, 21 Aug 2013 21:15:25 +0000

hello i read your post. Thnx alot, But i have a question, What is the difference here between client and server put into consideration that you also used the CA config file to generate them.