The
SSLChat sample application requires that a certificate, signed for use as a
server, is installed and used for the server in the communication. Additionally, if mutual authentication is
required, and the client wants to present a certificate as its identity, then
there must also be a certificate installed on the client system. Finally, all certificates used in the
chat-transaction are signed by a Certificate Authority (CA). The CA’s that sign the certificates have a
public certificate which must be a root authority on both systems involved in
the chat-communication.
The text
of Programming Server-Side Applications for Microsoft Windows 2000
includes some discussion on how to obtain certificates for use in your SSL
code. However, for the sake of
simplifying your usage of the samples included on with this book, three “test”
certificates have been included on the CD.
A certificate for client, server, and peer-to-peer authentication has
been included.
The sample
certificates included on the CD-ROM are stored in the “.pfx” file format. This includes all of the certificate
information as well as the matching private key. Finally, the public key information for the signing CA is also
included in the .pfx file.
You can
install each certificate by using the “Certificates” snap-in for the MMC. You can also double click on a “.pfx” file
to automatically launch the wizard to install a certificate on your
system. Finally, you can use the
SSLChat sample application to run the installation wizards for all three
certificates. Here are the certificate
files included on the CD-ROM:
All .pfx
files are encrypted using the hash of a password provided at the time that the
private key was exported. To install
the certificates, you will need to provide the password needed to decrypt the
.pfx file. The password for each
.pfx file included on this CD-ROM is as follows: ProgServ
For an
installed certificate to be useful, you must also allow the installation wizard
to add the certificates signing CA to your trusted root authorities. However, idly adding a CA to your root
authorities can be dangerous. Any CA in
your root effectively has the right to create server and client certificates
that will be trusted by your system.
All of the certificates included on the sample CD-ROM were created and signed by the following CA: Programming Server-Side Applications Test CA. In general, once this CA has been added to your root authorities, any certificate that it creates will be trustable by your system. The CA that created these certificates (and its private key) has since been deleted. However, this does not guarantee that the private key of the CA cannot be derived from the public key using brute force methods.
Normally, brute-force methods are unreasonable because of the relatively short lifespan of certificates (including root certificates). However, the certificates in this book have a lifespan of 19 years, and the certificate for the Programming Server-Side Applications Test CA has a lifespan of 20 years. The certificate for the sample root CA does not expire until the year 2020!
To assure that no malicious activity is performed because of the security risks of using these test certificates, here are the steps you should take.
If your system contains sensitive data, or it is
networked with systems that contain sensitive data, you should not
browse the general internet while the certificate for the Programming
Server-Side Applications Test CA is included in your systems trusted root
CA’s!
Install the client certificate now.
Install the server certificate now.
Install the peer-to-peer certificate now.
The
instructions below briefly describe possible ways to set up and test the
SSLChat sample. It is necessary to have two networked computers that support
TCP/IP.
a.
Select
the Client option.
b.
In
the Connect To box, identify the server computer. This can be an Internet
address (www.northwind.microsoft.com), an IP address (xxx.xxx.xxx.xxx), or a
server name (SERVER1).
c.
From
the Select Certificate From Personal Store drop-down list, select TestClient or
TestPeerToPeer.
d.
In
the Server Certificate Name box, type the servers certificate name ("TestServer"
for example).