PDA

View Full Version : Generating key and certificate for QSslSocket



dawwin
26th March 2011, 22:32
I am writing simple network communicator which uses SSL, and I want to be sure how to create certificate and private key correctly. I use following command to create keys:

openssl req -x509 -newkey rsa:2048 -keyout server.key -days 365 -out server.crt -nodes
And on the server I use
server.crt as argument for addCaCertificate() and setLocalCertificate()
server.key as argument for setPrivateKey()
On the client I use
server.crt as argument for addCaCertificate()
server.crt is public and I share this for users
I want to know if this, what I described is correct and secure

wysota
27th March 2011, 01:22
In my opinion CA and the server should have different certificates. The server certificate should be signed with the CA certificate.

dawwin
27th March 2011, 10:15
Now I use following commands to generate keys


./CA.pl -newca
./CA.pl -newreq-nodes
./CA.pl -signreq


CA certificate is generated in demoCA/cacert.pem
Private key is newkey.pem
Signed certificate is newcert.pem

On the server I use
demoCA/cacert.pem as argument for addCaCertificate()
newcert.pem as argument for setLocalCertificate()
newkey.pem as argument for setPrivateKey()
On the client I use
demoCA/cacert.pem as argument for addCaCertificate()
demoCA/cacert.pem is public

How about now?

wysota
27th March 2011, 10:40
I don't know what this perl script does so it is hard to say, but it looks better now.

dawwin
27th March 2011, 10:47
This script is available in /usr/lib/ssl/misc directory. It's part of the OpenSSL


./CA.pl -newca #creates new CA certificate
./CA.pl -newreq-nodes #creates a new certificate request
./CA.pl -signreq #calls the ca program to sign a certificate request

wysota
27th March 2011, 10:49
This script is available in /usr/lib/ssl/misc directory. It's part of the OpenSSL
Which doesn't mean I have to immediately run to /usr/lib/ssl/misc and analyze it, right? This is nothing related to Qt, you know.

dawwin
27th March 2011, 10:59
I explained commands, which I use to generate keys so You don't have to analyze this script. I don't even want you to do this. I just want to know if I use private key and certificates correctly

wysota
27th March 2011, 15:12
I explained commands, which I use to generate keys
No. You listed calls to a perl script that calls *some* openssl commands that do something. Since without looking at CA.pl it is not possible to determine what commands they are it is not possible to say whether what you are doing is what you should do.


I just want to know if I use private key and certificates correctly
No idea, ask on an OpenSSL forum. The SSL handshake is done by OpenSSL and not Qt, this is really nothing related to Qt. Qt just passes the data you provide to the underlying SSL layer. I would say that if it works, it is fine. You don't have any security here anyway as you're using a self-signed certificate so this doesn't really matter, you just want the handshake to succeed. Only that you have a chance to deliver your CA certificate using some safe channel to your clients and if they install it as a trusted certificate and verify it when starting the connection it will be ok. But that's of course also nothing related to Qt...