[kmf-discuss] kmf pktool
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Fri Jan 4 10:55:34 PST 2008
David -
I'm adding kmf-discuss to the CC list. Response below...
David Major wrote:
> Hi Wyllys,
>
> We are really new to PKI.
>
> We are working on a data archiving project which requires SSLv3.
>
> http://www.opensolaris.org/os/project/mms/whatis/
>
> We are currently using OpenSSL with DSA certs.
Why DSA? KMF has support for DSA, but it hasn't been tested nearly
as well as RSA.
>
> Do you have or can you point me at an example client/server C program
> that uses KMF?
Hmm, not sure if I have what you need or not. pktool in Solaris has
a lot of good example code for accessing OpenSSL keys and certificates.
http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/cmd/cmd-crypto/pktool
>
> It seems (I feel) most applications are adding certificates to the
> server and skipping getting the certificate request signed by the CA. Is
> it valid to use certificates not signed by at least a self-signed
> certificate authority or does pktool provide that function?
No it is not secure or useful to have a certificate that is not signed.
In fact, it is not a certificate at all until it has a signature, even
if it is only self-signed. Most security experts frown on the use of
self-signed certs in favor of actually getting them signed by a CA
which will manage the revocation lists properly.
>
> Can we use KMF across the network to get at a self-signed CA CRL?
KMF can retrieve CRLs and certificates across the network. See the
"kmf_download_crl" and "kmf_download_cert" functions documented here:
http://opensolaris.org/os/project/kmf/files/KMFAPI_Reference.pdf
What you may really want is the "kmf_validate_cert" function (also
documented above). I don't know of any real-world apps that use these
functions yet, but they have been tested.
-Wyllys
More information about the kmf-discuss
mailing list