Rogue Wave banner
Previous fileTop of DocumentContentsIndex pageNext file
Secure Communication Module User's Guide
Rogue Wave web site:  Home Page  |  Main Documentation Page

4.3 Obtaining Certificates

A certificate is a data structure that identifies an entity by establishing a binding between that entity and a public key. Certificates are used for two general purposes in the SSL/TLS protocol:

4.3.1 Obtaining Trusted Certificates to Verify Other Certificates

When a browser or client connects to a secure server, the server sends its certificate to the client. It is up to the client to verify the server's certificate using trusted certificates. Generally, these trusted certificates are issued by a globally trusted root or intermediate certificate authority, such as VeriSign, Inc.

You can create your own certificate authority for issuing "internal use" certificates. For more information, see the documentation that came with your cryptographic library.

Certificates are digitally signed using the private key of another certificate. It is possible to form long certificate chains before reaching the root certificate authority's certificate, but these chains are rarely more than five certificates long. The root certificate authority's certificate is self-signed. If the client (browser) can form the chain from the server's certificate to some trusted root certificate, the server certificate is verified, and communication can proceed.

If you are writing a client program, you must collect these root and intermediate trusted certificates. This is a manual process because you must be sure you are getting authentic root and intermediate certificates.

  1. Contact VeriSign, Inc., or any certificate authority and ask for:

  2. Convert these certificates into PEM format using the tools supplied by the cryptographic library and place them in a file.

  3. Call RWSecureSocketContext::prepareToAuthenticate() or RWSecureSocketContext::loadVerifyLocations() with the name of the file containing your trusted certificates.

If you are less concerned with security, you can get the certificates you need from Microsoft Windows 2000's internal certificate store. This is a security risk because someone can tamper with the certificates on your machine before you export them. The Netscape Web browser and the Windows operating system have hundreds of trusted certificates for certificate authorities worldwide.

Rogue Wave Software cannot provide these certificates because it is a security risk to you, and because certificates have expiration dates.

4.3.2 Obtaining Certificates to Identify a Specific Entity

To get a certificate for a server (or client, if you want client authentication), follow these steps:

  1. Create a public and private key pair using the cryptographic library's utilities.

  2. Create a certificate request using the key pair and the cryptographic library's utilities.

  3. Send the certificate request to a certificate authority, along with identification and a fee.

  4. The certificate authority will send back a signed certificate with a specified validity period (usually one year).

    You may need to convert the certificate to PEM format using the utilities in the cryptographic library.

  5. Use the certificate with RWX509Certificate. Your application can pass the certificate to the setCertificate() or setIdentity() functions of RWSecureSocketContext or RWSecureSocket. For more information about RWX509Certificate, see Section 4.6, "Constructing a Certificate."

    For more information, see the examples\secsock\certs directory and its subdirectories. These directories contain readme.txt files and scripts used with OpenSSL to create the example certificate infrastructure.

4.3.3 Using Hard-Coded Keys and Certificates

You might want to use hard-coded keys and certificates in your application in cases where your software will be running on some kind of constrained device where a file system may not be available.

To hard-code a key or certificate into an application, your application must store the data as an array of character pointers to the actual data. The actual data must be stored in PEM format.

Each line of the PEM format key or certificate becomes an element of the array. So, the first line of the PEM file becomes the first element in the array, the second line of the PEM file becomes the second element in the array, and so on. A key can be hard-coded in an application as follows:

The key shown here is a real RSA private key. Do not use this or any key or certificate shipped with the Secure Sockets package in your applications. A determined attacker will probably try all example keys supplied by the cryptographic libraries.

The number of elements in the array must also be passed to the RWAsymmetricKey or RWX509Certificate constructor. This is normally done by passing sizeof(keyData) divided by sizeof(keyData[0]) as the second parameter. The complete constructor call to use the above key is:

The process is similar for certificates. See the example program in examples\secsock\InlineEncryptedKeyServer.cpp.

Your application must use the technique described in this section to encode the entire key or certificate, including the beginning and ending tag lines and any blank lines in between. Failing to do so causes an exception to be thrown by the key or certificate constructor.

Previous fileTop of DocumentContentsNo linkNext file

Copyright © Rogue Wave Software, Inc. All Rights Reserved.

The Rogue Wave name and logo, and SourcePro, are registered trademarks of Rogue Wave Software. All other trademarks are the property of their respective owners.
Provide feedback to Rogue Wave about its documentation.