Fun with Erlang (was Re: Stand Alone Erlang for Windows. yetagain)

Johan Bevemyr <>
Fri Mar 16 09:31:03 CET 2001


Client certificates cannot be self signed. They must be signed
by a CA certificate. That is, a certificate with basic constraint 
CA:true. To get a CA certificate you can either create a test
certificate or you can order one from Verisign (I have not verified
that they will sell you one).

Another possibility is to allow all client certificates signed
by Verisign access to your site. To do this you would not have to
generate any client certificates your self, you would only have to
configure your server with Verisign's certificate as cacert. 
Verisign would then issue client certificates using their CA cert.

A client certificate is by definition not self signed. The whole idea
with client certificates is that the server should be able to verify
the certificate. This verification is done by verifying that the
certificate is signed by a certificate that we trust.  A self signed
certificate doesn't say anything about the holder.

To sign a certificate you need both the private key and the
certificate part. The private key is used to encrypt a checksum
of the client certificate. Only the corresponding public CA key
can then be used to decrypt the signature.

Cheers, Johan



#####  I tried on 010315.2 build.  These are my steps:
#####  /c/ssl/cert 1
#####  genclient

#####  and I'm getting ""Error: Both a key and a certificate must be defined

#####  before a certificate can be generated"

#####  When I first "tftpcert" a Server Certificate, I get these message:
#####  /c/ssl/cert 1
#####  tftpcert tftp_ip_address
#####  specify a internally signed certificate
#####  then, genclient
#####  I'm getting "Error: Cannot generate signed certificates using non-CA
certificate"


#####  Now, does this self-signed client certificate has any association
with the server certificate I TFTPed ?  
#####  I have attached my server certificate below.  Please take a look.



More information about the erlang-questions mailing list