March 24th, 2011, 09:09 AM
Setting up SSL
Hi, I've been experimenting with Apache Axis2 in a C++ program (on Ubuntu) and I use it to consume a .NET WebService over HTTP, originating from a Microsoft IIS 7.0 Webserver.
Now I'm trying to make the connection secure using HTTPS (and thus, SSL).
There's a tutorial available (but I can't post the url because I'm new I see), but I'm still confused about what I can/can't do with my current setup.
Question 1: The server already issues a self-signed certificate. Is this important/useful in any way? Or does it defeat the purpose of trying to secure the connection altogether (because it is self-signed?).
Question 2: Given that certificate, how should I continue my attempt at securing my connection?
As far as I understand, I need 3 certificates in total:
1. one Master certificate (generated by a Certificate Authority)
2. one server certificate (signed by using CA's Master certificate)
3. multiple client certificates (signed by using CA's Master certificate)
Thus I assume that the owner of the server must have a CA somewhere which signed the server certificate, and if I can find/locate this CA, I hope to use it to sign my client certificates. The server is physically located in the company.
I don't know if any of this makes sense, suggestions are welcome. Thanks!
April 25th, 2011, 04:46 PM
Dazzled - re: Question 1 - I don't think it's pointless to accept a self-signed certificate, as it's up to clients/browsers as to how they would handle this (i believe firefox throws up a warning at every page of a self-signed website, but safari and other browsers will only warn you once and allow you to download content if the user by-passes warning).
re: Question 2 - The certificates on the client side are what you get directly from the Cert Authorities (DigiCert, ComSign, etc) to validate the info the server sends you. If you're dealing with a self-signed cert, you're not using the CA-signed certificates. If you use the CA-signed certificates, they get chained:
ComSign certifies Google
Google certifies DazzledServer
DazzledServer certificate is what is read by client.
You would check that ComSign checks out with what you have in your list, and then you can trust DazzledServer's certificate.
I hope THAT made sense. : )
Ask more and I'll try to fill the rest in.
Last edited by astroboy71; April 25th, 2011 at 04:48 PM.
Hi, sorry for the late reaction, but that was an extremely helpful reply. I now accept the self-signed cert and am able to communicate using HTTPS. Also had to recompile AXIS2 to be able to use OpenSSL. It seems to work, and WireShark agrees, too.
Originally Posted by astroboy71