EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Trying to make sense of different certificates..

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
#26532
Posted: 09/19/2013 18:04:54
by Katit (Basic support level)
Joined: 09/19/2013
Posts: 14

Currently evaluating EDI Black Box (.NET), working on AS2 protocol specifically.
Playing with Sender and Receiver sample projects.

Need to get some better info on WHAT exact certificates and types I need to provide. For decoding I need private key. For verification I need partner's public key.

OK. For this specific task I need certificates to be:
1. All keys base64 encoded and stored in database.
2. Private key base64 encoded and without password. Yes, I know permissions, etc, etc - but I need to store key or password + key anyway.

Problem I have right now with my self-signed key.
I used following tutorial and OpenSSL to generate public cert and private key. Then I removed password from private key:
http://www.xenocafe.com/tutorials/linux/centos/openssl/self_signed_certificates/index.php

This is public and private keys I have. Private key won't load when I try to add them to sample "Receiver" project.

What format should it be for me to store? I guess it's stupid question, but I'm new to all this, should I have both public AND private to decrypt? Or just private will be enough?

Private.pem:

-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCuBMBnqJdsUnwkVLjBJmGdhUcRrx2RpsCXglCCw9nQjkb1ZFZP
v1+FxCNrUzzEYemZlveZs6NxzieKIUIl6AeXtHzJOWpsAJU8Dm9RaGFqr83gOOKH
bdrNopQ0kL5Sn8EDhLVXVQDFFH+nEVZW5bvoDLPMaVWhezcAzy2Q/5gPRwIDAQAB
AoGAcKOouzA4m6gkrQud74BdjS242+yC8kWCwk9at9n4AnQl4C9LYyFXvmlAF/dw
DRnnsEA1Euthb4fmthVjENBJIMsvFDw1/nfJipQrz/nb1ec5XTH9kU70TmeNuvGC
jDKTxEAmOJIveNvsD9TUqSHt7uGhGafT3cvIa6ZSxjac5DkCQQDWevREio7QEzRN
8/6PZBvxe+oD8SyToEp1FOXmdPHM5bv/0NKeynA16RXhovMlZVlLN2gZVWEvfwA7
/LcPSLlDAkEAz7Sgdu2L9o5jIbq0p51EGpPoLIOAqbxUaMaa1ZU+Jz2aw06kIE8R
U4MIvckv+Dm7FWrSrrN8Q+Jky6lTZdFfrQJBALadSY1yS9ZuA4K71GpSWlhpoP5q
QgIP4FV/zZ9Cwv4qPL+7FRmOU6wTIUZUb6HPgQ/BxSiMwYqnH5PzwAmLafECQGRA
OnMslLGcaByPkUKVlZl+akGR9zf1vogT1Afi0Oz/vwMlofI2N5anWEDCKnUU6Eee
F7Jaz0+0phHm2Gn8dMECQQDDTT9YyYqUy6Xx7FYtHJw9X4T7kYRnKYBLjIGfp32w
FO/znm/yJMSr2lorSsj44cW5sWmf59bSVC2X6N6HRcpi
-----END RSA PRIVATE KEY-----


public.pem:
-----BEGIN CERTIFICATE-----
MIICLTCCAZYCCQCk0pqqJtPgbDANBgkqhkiG9w0BAQUFADBbMQswCQYDVQQGEwJV
UzELMAkGA1UECBMCTU8xFDASBgNVBAcTC1NhaW50IExvdWlzMREwDwYDVQQKEwhJ
REFUVCBMQzEWMBQGA1UEAxMNRGl0YXQgVE1TIEFTMjAeFw0xMzA5MTkyMjM3Mjha
Fw03NzA3MjAxNjA5MTJaMFsxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNTzEUMBIG
A1UEBxMLU2FpbnQgTG91aXMxETAPBgNVBAoTCElEQVRUIExDMRYwFAYDVQQDEw1E
aXRhdCBUTVMgQVMyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCuBMBnqJds
UnwkVLjBJmGdhUcRrx2RpsCXglCCw9nQjkb1ZFZPv1+FxCNrUzzEYemZlveZs6Nx
zieKIUIl6AeXtHzJOWpsAJU8Dm9RaGFqr83gOOKHbdrNopQ0kL5Sn8EDhLVXVQDF
FH+nEVZW5bvoDLPMaVWhezcAzy2Q/5gPRwIDAQABMA0GCSqGSIb3DQEBBQUAA4GB
AAkoz94xKCiPFVEdq9CHAkG0wVrkuU8GZmUwwcGDkFyAUGUZ/QY1REel2SzuxA37
Ynklkixf6Ae/RoJcSzNPYq+BxmVdA0xchURHZdJl5bx5IekXlJjwgsGR+IuOEsMY
WQ8cj17hlG2f41lE7fXjceien28Uq5baxiQaL5fu7KwG
-----END CERTIFICATE-----
#26533
Posted: 09/19/2013 23:56:39
by Eugene Mayevski (EldoS Corp.)

Thank you for contacting us.

What you have provided is a certificate and private key in PEM format. They can be loaded into an instance of TElX509Certificate class using LoadFromStreamPEM and LoadKeyFromStreamPEM methods respectively. Then you can use this object.

Note that self-signed certificates are not really secure -- most of PKI's power is in it's hierarchical nature. With self-signed certificate (when used by the sender) the recipient is bound to validate the certificate by comparing the public key with something it already has. Consequently, if the sender needs to replace the key for whatever reason, your validation scheme fails.


Sincerely yours
Eugene Mayevski
#26536
Posted: 09/20/2013 01:05:21
by Katit (Basic support level)
Joined: 09/19/2013
Posts: 14

Thnk you, I figured it already. It's just crazy with all the different names (extensions) used out there. Certificate loads in 2 steps just fine.

I'm not sure about second part though, to me it's a "black box" really :) All I understand is that public key is needed to encrypt but private key needed to decrypt. Also (but not sure what it means) I heard that self-signed certificate has private key in it whatever it means.

Anyway, I'm not really concerned about security at this point. In this particular industry using self-signed certificates is a norm, I guess it's more of a "compliance" with AS2 protocol that need for actual security. Data traded is not a big deal or secret. And of course, even if there is someone who wants to know this - they won't have resources or ability to crack it even if it's not that secure.
#26538
Posted: 09/20/2013 01:16:25
by Vsevolod Ievgiienko (EldoS Corp.)

Hello.

Quote
Also (but not sure what it means) I heard that self-signed certificate has private key in it whatever it means.

X509 certificates contain public keys and are signed by certification authority's private key. In case of self-signed certificate it is signed by its own key. Usually self-signed certificates belong to certification authorities. Here is a good article on this topic: https://www.eldos.com/security/articles/1953.php
#26539
Posted: 09/20/2013 01:22:27
by Eugene Mayevski (EldoS Corp.)

As usually I recommend buying a book or two on the topic: https://www.eldos.com/forum/read.php?FID=7&TID=1842

RSA's Guide is a must-read - well-written and easy to read, and quite comprehensive.


Sincerely yours
Eugene Mayevski
#26550
Posted: 09/20/2013 10:56:59
by Katit (Basic support level)
Joined: 09/19/2013
Posts: 14

Thank you, ordered book and read article. Whole thing still not very clear but I will get there :)
Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.

Reply

Statistics

Topic viewed 978 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!