Java
  GuestBook
  Security
     Explorer
     Netscape

JavaScript
  Mouse Over

Layers
  Menu

Windows
  File Types

Do It Yourself

Okay, so it's supposed to be an open standard. Shouldn't I be able to create my own certificate for use inside my intranet and go from there?

Well the first question people in the US must ask yourself is: Is this for commericial purposes? Even if you are just doing it for an intranet, that's commerical. RSA holds the patent for public key cryptography, and so until the year 2000 then even if you wrote the code yourself, you couldn't use it.

Now given that you are not in the US or you are an education institution (with written permission to use RSAREF) then here are a few steps to get you on your way.

First our goal: To create a certificate that can be used to sign an applet so that netscape 4.0 will be able to recognise it. We want to do this without paying.

Now let me note that I didn't actually fill in all the blanks neccessary to create an object signing certificate from scratch. This is mostly because I ran out of time. But this should be enough information to get you on your way.

Requirements for a certificate used to sign applets.

• Signed by a recognised Certifying Authority certificate.
• Is an object signing certificate.
• Is a valid certificate (obviously)

Signed by a certifying authority certificate

Short Version

1. build apache with SSL extensions
2. cd apache/src
3. configure apache conf files (don't forget to configure SSLconf stuff)
4. make certificate
5. start server.
6. connect to server.

Long version

Download apache
    http://www.apache.org/
download SSLeay
    ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/
      eg SSLeay-0.8.1.tar.gz
get extentions for Apache-SSL
    http://www.algroup.co.uk/Apache-SSL/
    ftp://ftp.ox.ac.uk/pub/crypto/SSL/
	apache_1.2.4+ssl_1.11.tar.gz
Follow directions contained in README located in the above file.

with the following exceptions:

Part of the instructions are apply a patch. If you are on Solaris (and maybe some other systems), you will need gnu "patch" (ftp://prep.ai.mit.edu/pub/gnu/patchx.y.tar.gz)

it says:
	patch < SSLpatch
but you really need:
	patch -p0 < SSLpatch
the continue with the build.

This will get you apache-ssl. (server will be httpsd rather than httpd)

Before you start the server, you will need a server certificate: This can be generated using:

cd /src
make certificate

Provide the information they ask for (company, location, email etc). For netscape the *common* name should be *.mydomain.com or the name of the server (where mydomain is really you domain!) This will eliminate the user from needing to see some warning message about the possibility of a bogus certificate (but it'll still work anyway).

You must also make sure that bit's 3 and 7 are turned on for the netscape-cert-type exentions (or is that nsCertType?) to ensure that the certificate is able to sign objects (so really you would just need bit 7 Object Signing CA). Bit 3 says it's an object signing certificate.

you can load this certificate into the browser by copying this to your web server so that it will have the type application/x-x509-ca-cert (I added the following lines to mime.types, copied httpsd.pem to file.cx and restarted the server:

application/x-x509-user-cert    ux
application/x-x509-ca-cert      cx
application/x-x509-email-cert   ex

To go further you need to start writting some code... Now you need to import the certificate into netscape. One way to do this is to use the <KEYGEN> interface described in Communicator 4.0 Key Generation. You also need to read the Certificate Download Spec Mon Oct 13 04:50:06 EDT 1997

I figured out how to get communicator to generate a key. Check this out. Here is the html to do that. This step is neccessary to get communicator to accept a user certificate. Otherwise an error something like, the corresponding private key does not exist in the database, will result. Which really makes a lot of sense, since you don't want Verisign (et al) to know your private key, kinda cool eh?

Import a certificate into netscape from scratch!

The following are hints towards making an object signing certificate for yourself. There is not enough information, but if you are adventurous, it'll head you down a path (hopefully the right one!)

• Get and install SSLeay
• GET ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/pfx-0.1.1.tar.gz
• Compile etc... read ca-kludge.doc from pfx.. or trust me...

   (ssleay.cnf is usually /usr/local/ssl/lib/ssleay.cnf)
  1. Create a CA with CA.sh -newca (ssleay.cnf should be nsCertType=0x40)
  2. Edit ssleay.cnf and change the value nsCertType to 0x04.
  3. Create a request with CA.sh -newreq, this should have the CA info entered.
  4. Sign the request with CA.sh -signreq.
  5. You now have a ca certificate and key with the relevant attributes. Self
     sign the new cert with
   x509 -days 365 -in newcert.pem -signkey newreq.pem -out cacert.pem
  6. Reset ssleay.conf nsCertType to 0x80 (for clients) or 0x40 (for servers).
  

  #6. Overwrite cacert.pem in the CA directory (default ./demoCA) with cacert.pem # and the CA private key (./demoCA/private/cakey.pem) with newreq.pem #8. Use the "new CA" as normal. Don't forget to reset the cert type in ssleay.cnf # to 0x80 (for clients) or 0x40 (for servers).

  References

  • http://www.netscape.com/eng/security/certs.html - Netscape Certificate Specifications.
  • http://www.apache.org/ - APACHE
  • http://www.algroup.co.uk/Apache-SSL/ - APACHE-SSL
  • http://remus.prakinf.tu-ilmenau.de/ssl-users/ - SSL Mailing list archive
  • http://www.psy.uq.oz.au/~ftp/Crypto/ - SSLeay and SSLapps FAQ
  • http://www.cryptsoft.com/ - Crypysoft (authors of SSLeay)
  • http://developer.netscape.com/software/signedobj/filesecdemo/FileSecDemo.html - Netscape Java Security Demo
  • http://developer.netscape.com/library/documenation/ - General Netscape Developer Documentation - not a bad starting point for offical things.
  • http://developer.netscape.com/library/documentation/signedobj/trust/index.htm - Establishing Trust for downloaded software - netscape object signing
  • http://java.sun.com/products/jdk/preview/ - Preview JDK1.2 features
  • https://certs.netscape.com/client.html - Sources for certificates
  • RSA - the people who own the patent.
  • http://developer.netscape.com/library/documentation/signedobj/javadoc/Package-netscape_security.html - netscape.security API
  • http://developer.netscape.com/library/documentation/signedobj/targets/index.htm - List of all capabilities eg UniversalPropertyRead

  ---

  The information on these pages are provided on an "AS IS" basis, and may be used freely at your own risk. Addition usage information found on each particular page.
  olabs@olabs.com