A certificate is a data structure that identifies an entity by establishing a binding between that entity and a public key. Certificates are used for two general purposes in the SSL/TLS protocol:
To verify other certificates
To identify a specific entity, such as a machine or company
When a browser or client connects to a secure server, the server sends its certificate to the client. It is up to the client to verify the server's certificate using trusted certificates. Generally, these trusted certificates are issued by a globally trusted root or intermediate certificate authority, such as VeriSign, Inc.
You can create your own certificate authority for issuing "internal use" certificates. For more information, see the documentation that came with your cryptographic library.
Certificates are digitally signed using the private key of another certificate. It is possible to form long certificate chains before reaching the root certificate authority's certificate, but these chains are rarely more than five certificates long. The root certificate authority's certificate is self-signed. If the client (browser) can form the chain from the server's certificate to some trusted root certificate, the server certificate is verified, and communication can proceed.
If you are writing a client program, you must collect these root and intermediate trusted certificates. This is a manual process because you must be sure you are getting authentic root and intermediate certificates.
Contact VeriSign, Inc., or any certificate authority and ask for:
The intermediate authority's certificate
The root certificate authority certificate, which is used to sign the intermediate authority's certificate
Convert these certificates into PEM format using the tools supplied by the cryptographic library and place them in a file.
Call RWSecureSocketContext::prepareToAuthenticate() or RWSecureSocketContext::loadVerifyLocations() with the name of the file containing your trusted certificates.
If you are less concerned with security, you can get the certificates you need from Microsoft Windows 2000's internal certificate store. This is a security risk because someone can tamper with the certificates on your machine before you export them. The Netscape Web browser and the Windows operating system have hundreds of trusted certificates for certificate authorities worldwide.
Rogue Wave Software cannot provide these certificates because it is a security risk to you, and because certificates have expiration dates.
To get a certificate for a server (or client, if you want client authentication), follow these steps:
Create a public and private key pair using the cryptographic library's utilities.
Create a certificate request using the key pair and the cryptographic library's utilities.
Send the certificate request to a certificate authority, along with identification and a fee.
The certificate authority will send back a signed certificate with a specified validity period (usually one year).
Use the certificate with RWX509Certificate. Your application can pass the certificate to the setCertificate() or setIdentity() functions of RWSecureSocketContext or RWSecureSocket. For more information about RWX509Certificate, see Section 4.6, "Constructing a Certificate."
For more information, see the examples\secsock\certs directory and its subdirectories. These directories contain readme.txt files and scripts used with OpenSSL to create the example certificate infrastructure.
You might want to use hard-coded keys and certificates in your application in cases where your software will be running on some kind of constrained device where a file system may not be available.
To hard-code a key or certificate into an application, your application must store the data as an array of character pointers to the actual data. The actual data must be stored in PEM format.
Each line of the PEM format key or certificate becomes an element of the array. So, the first line of the PEM file becomes the first element in the array, the second line of the PEM file becomes the second element in the array, and so on. A key can be hard-coded in an application as follows:
const char* keyData[] = {
"-----BEGIN RSA PRIVATE KEY-----",
"MIICXAIBAAKBgQC2ryS14iDA6X/VXaH016goKvbivRyjn3FCB/AH/r6KSFZaHPTP",
"GnhbCm/sG5YeutFlPGsq7FeBAKkuKS3FFkSn2uJD10Sy6oatmekMu0s7SFsxMo+e",
"GRMsnhhioh0HYhTQotl76fwUKnDGc7u2glRdGQvTl5+y0gO7DaJhN6dEKQIDAQAB",
"AoGANtdZM+jQYFk4cPsM1Y2wA27ycprG8C+7NlFfs2a8GJMiqSasL0gI/XuiocSe",
"SldW6Qc8PMR6eFWUdDEUdmf6787LNT1YBJp/M2Xuk4Gr7qR99DJS1HhdEKrumksF",
"gmWJRwTmw4rJ0o2DC61ZAN+Iul+QujGoIdHWAYAwS7zOiwECQQDor9ZB/DjKSjeu",
"j1u1E473yrP9amQXHSbuquGaH+b7Cac6GC/YfZm7YODBWp0rU8jceq+hV8vkdl79",
"ICj1+p5ZAkEAyPzKsMY6BYmzqPaFRj6KFl3WSOkTHlVyLh9+WwjYU/Iyg+1Zr1Aj",
"Qu4niGtgK7QEXvuOeVxJK3CjNkxnFfM6UQJANFZgtgTabT3WWnAqa4dTsA6q/4Qv",
"sTdAa4yKJBWq6apZL+sC0AooSwpWY4dTNMyqsFT0LjFGTkQFx5+1NubBOQJAR90j",
"eCuYiWxgIdTreF9aLn8k5HL6FAmHRviZzGEQQIvEBinyvF2SDhdraTrDazz1pySZ",
"H8mgm/itUvfkkBOk0QJBAJZ5Hw+yhiEIKV6nSHcSwGlo+mxLDzUzq0NkU7Svgfk5",
"K1gngAYDkLZGi9U1JRR0E7SbUNXs+cFpE/wzm3C85iE=",
"-----END RSA PRIVATE KEY-----"
};
|
The key shown here is a real RSA private key. Do not use this or any key or certificate shipped with the Secure Sockets package in your applications. A determined attacker will probably try all example keys supplied by the cryptographic libraries.
The number of elements in the array must also be passed to the RWAsymmetricKey or RWX509Certificate constructor. This is normally done by passing sizeof(keyData) divided by sizeof(keyData[0]) as the second parameter. The complete constructor call to use the above key is:
RWAsymmetricKey key(keyData, sizeof(keyData)/sizeof(keyData[0])); |
The process is similar for certificates. See the example program in examples\secsock\InlineEncryptedKeyServer.cpp.
Your application must use the technique described in this section to encode the entire key or certificate, including the beginning and ending tag lines and any blank lines in between. Failing to do so causes an exception to be thrown by the key or certificate constructor.
Copyright © Rogue Wave Software, Inc. All Rights Reserved.
The Rogue Wave name and logo, and SourcePro, are registered trademarks of Rogue Wave Software. All other trademarks are the property of their respective owners.
Provide feedback to Rogue Wave about its documentation.