EldoS | Feel safer!

Software components for data protection, secure storage and transfer

SSL connection with 3rd Party CA Signed public cert

Posted: 03/06/2009 09:06:56
by Sandeep Mohan (Standard support level)
Joined: 02/25/2009
Posts: 46

If i have a 3rd Party CA Signed Certificate say from Verisign or Thwate which are already in the trusted root store, is there a way to get that from SSLBlackbox. As of now my application uses a public cert distributed with the applciation.

I want to know if this has to be done in my application or can it be done via SSLBlackbox?
Posted: 03/06/2009 09:57:56
by Ken Ivanov (Team)

Certificate chain validation should be performed by a code that uses SecureBlackbox components (we did not implement that, as this procedure differs for different business tasks). SecureBlackbox provides all the necessary technical means for validating the integrity of certificate signatures, accessing Windows system stores, retrieving certificate details, but the following tasks lie on the shoulders of the client code:
a) to build a complete chain using certificates provided by the server and certificates stored locally (e.g., in Windows stores),
b) to validate the integrity of the chain by iterating over certificates from the end-entity server certificate up to the root certificate,
c) to check if certificate of the server is "good" (this includes checking certificate validity period, checking a correspondence between server name and subject name contained in certificate, checking certificate purposes etc.),
d) to check that one of certificates forming the chain is available in the trusted list.

I wish to emphasize that SecureBlackbox provides all the necessary functionality to perform the above tasks.
Posted: 03/06/2009 11:50:56
by Sandeep Mohan (Standard support level)
Joined: 02/25/2009
Posts: 46

I am looking to access the windows system store. is there an example somewhere which i can see?
Posted: 03/09/2009 00:03:05
by Ken Ivanov (Team)

Yes -- please take a look at the CertDemo sample. Besides other features, it illustrates the use of TElWinCertStorage control that deals with windows system stores.
Posted: 03/13/2009 13:58:30
by Sandeep Mohan (Standard support level)
Joined: 02/25/2009
Posts: 46

I am looking for help in using the ElWinCertStorageX and ElSecureClient for SSL.

When the application starts i load the windows system store into an Object StorageX. At this point the client does not know what certificate it needs.

Then i initiate an SSL connection. In the SecureClient_OnCertificateValidate the client is presented with the Server Certificate.

I am trying to choose the right cert from the System Store which corresponds to this server certificate, such that i can use the StorageX.GetCertificate(index) method to get the certificate and then send it to the client in the
SecureClient_OnCertificateNeededEx event.

1. Is this process right?
2. How do i find the right public certificate to send down to the server from the system store?

Posted: 03/15/2009 23:46:01
by Ken Ivanov (Team)

1. No. Certificate provided by the server has nothing common with the certificate it may request from you.
2. There's no universal answer for this question. Some servers do provide the names of the CAs they trust so that one could choose the right certificate to send, but the most do not, and some other mechanism of choosing the correct certificate (such as asking a user) should be used. Besides, ActiveX edition does not support this functionality yet, so asking a user (or using alternative certificate selection mechanism) should be used anyway.



Topic viewed 1466 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!