The Ultimate Business Machine - Archives
List of Categories : Commentary * Database * Singapore * Technology * Travel *
Sun 17 Jul 2005
WebMon, SSL, Mail, and Digital Certificates
Category : Technology/sslUpdates.txt
Just some updates about WebMon and SSL.
I'm almost done with the interface. I'm able to get WebMon to generate a certificate request (a CSR in SSL parlance) and display the block of text containing that CSR, so that the user can paste that into his application at one of the certification authorities.
I just need to wrap it up by providing an interface for the user to paste the returned certificate, so that WebMon can copy that to the right location and restart the server.
I've been experimenting Apple's very excellent Certificate Assistant (that comes with Tiger's new Keychain Access application), but I think that serves a more mail client-centric need.
If you use WebMon's SSL-enabler, you should be able to set the web server up for SSL, and get the certs and keys stashed into all the right places in one fell swoop. Or at least that's what I hope I could do.
But, back to the Certificate Assistant. I think it's very well thought out. I've used something similar in Windows 2000 (I haven't thought about Windows in ages) but Apple's implementation is better.
I now know how the process works, both via Certificate Assistant, as well as manually via the OpenSSL commands. But I still haven't found the answer to the question : if I have a valid live SSL cert, can I use it to sign other certificates so that other mail clients don't complain when they receive mail from all of us here at cutedgesystems.com? (- because currently I could only use a self-signed cert, and that is not linked to the so-called "chain of trust" - unless I know how to bring the live cert into the equation).
Currently, Certificate Assistant works with self-signed certs. If I make myself a Certification Authority, I can't issue a cert for Hai Hwee, say, and link that all the way back to the root certificate used by freessl.com, even though I, as the sub-level Certification Authority, has a valid certificate from freessl.com.
I've been banging my head over this the last couple of days. Sending mail without signing and encrypting it is, like someone said, sending business information using postcards, for everyone to read who handles its delivery. We really need to get to this next stage of e-mail usage. And the process has got to be simpler and cheaper than it is now.