The
Ultimate
Business Machine

Technology, business
and innovation.

And, not least, about
the Mac.

Weblog Archive Cutedge

by: Bernard Teo








Creative Commons License

Copyright © 2003-2012
Bernard Teo
Some Rights Reserved.

The Ultimate Business Machine - Archives

List of Categories : Database * Technology * Commentary * Singapore * Travel *

Sun 17 Jul 2005

Certificate Signing - Dead End

Category : Technology/chainOfTrust.txt

I'm going to wrap up my exploration of digital certificate signing, at least for a while until I get better ideas, but this is why I think I've hit a dead end.

According to the man page on the OpenSSL verify command, which is used to verify that a cert is OK all the way up its trust chain, one of the checks it does is to make sure that the issuer of a cert is actually allowed to sign certs :

... in addition the keyUsage extension of the candidate issuer (if present) must permit certificate signing ...

So, the freessl cert that I bought, which I was hoping will allow me to sign certs in turn for Hai Hwee, Bee Khim, Brendan, etc..., does not include cert signing among its allowed uses.

It has "Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment". But nothing like cert signing. (It takes less effort to set it to "all", like freessl's own root cert).

So I think it's not the technology. We've got everything there in OS X, under the OpenSSL umbrella of commands, to do it - , i.e., sign certs as a valid intermediate Certification Authority, so long as we have a valid cert that will allow us to establish that "chain of trust". Whatever limitations now are man-made.

This is what irks me about the whole SSL, digital certs thing. It does use some relatively esoteric Unix incantations but it's all clearly understandable. The first time I bought a Verisign cert, I was awed by all this PKI "our facility is protected by seven rings of security" thing. But you could do all this on your Mac.

We need digital signatures and message encryption more than we need these guys to insert themselves into the "Chain of Trust".

Posted at 9:01AM UTC | permalink

Mac@Work
Put your Mac to Work

Sivasothi.com? Now how would you do something like that?
Weblogs. Download and start a weblog of your own.
A Mac Business Toolbox
A survey of the possibilities
A Business Scenario
How we could use Macs in businesses
VPN Enabler for Mavericks
MailServe for Mavericks
DNS Enabler for Mavericks
DNS Agent for Mavericks
WebMon for Mavericks
Luca for Mavericks
Liya for Mountain Lion & Mavericks
Postfix Enabler for Tiger and Panther
Sendmail Enabler for Jaguar

Services running on this server, a Mac Mini running Mac OS X 10.9.2 Mavericks:

  • Apache 2 Web Server
  • Postfix Mail Server
  • Dovecot IMAP Server
  • Fetchmail
  • SpamBayes Spam Filter
  • Procmail
  • BIND DNS Server
  • DNS Agent
  • WebDAV Server
  • VPN Server
  • PHP-based weblog
  • MySQL database
  • PostgreSQL database

all set up using MailServe, WebMon, DNS Enabler, DNS Agent, VPN Enabler, Liya and our SQL installers, all on Mavericks.