Generating key and certificate for QSslSocket

[dawwin]

I am writing simple network communicator which uses SSL, and I want to be sure how to create certificate and private key correctly. I use following command to create keys:

Qt Code:

Switch view

openssl req -x509 -newkey rsa:2048 -keyout server.key -days 365 -out server.crt -nodes

openssl req -x509 -newkey rsa:2048 -keyout server.key -days 365 -out server.crt -nodes

To copy to clipboard, switch view to plain text mode 

And on the server I use
server.crt as argument for addCaCertificate() and setLocalCertificate()
server.key as argument for setPrivateKey()
On the client I use
server.crt as argument for addCaCertificate()
server.crt is public and I share this for users
I want to know if this, what I described is correct and secure

[wysota]

In my opinion CA and the server should have different certificates. The server certificate should be signed with the CA certificate.

[dawwin]

Now I use following commands to generate keys

Qt Code:

Switch view

./CA.pl -newca
./CA.pl -newreq-nodes
./CA.pl -signreq

./CA.pl -newca
./CA.pl -newreq-nodes
./CA.pl -signreq

To copy to clipboard, switch view to plain text mode 

CA certificate is generated in demoCA/cacert.pem
Private key is newkey.pem
Signed certificate is newcert.pem

On the server I use
demoCA/cacert.pem as argument for addCaCertificate()
newcert.pem as argument for setLocalCertificate()
newkey.pem as argument for setPrivateKey()
On the client I use
demoCA/cacert.pem as argument for addCaCertificate()
demoCA/cacert.pem is public

How about now?

[wysota]

I don't know what this perl script does so it is hard to say, but it looks better now.

[dawwin]

This script is available in /usr/lib/ssl/misc directory. It's part of the OpenSSL

Qt Code:

Switch view

./CA.pl -newca #creates new CA certificate
./CA.pl -newreq-nodes #creates a new certificate request
./CA.pl -signreq #calls the ca program to sign a certificate request

./CA.pl -newca #creates new CA certificate
./CA.pl -newreq-nodes #creates a new certificate request
./CA.pl -signreq #calls the ca program to sign a certificate request

To copy to clipboard, switch view to plain text mode 

[wysota]

This script is available in /usr/lib/ssl/misc directory. It's part of the OpenSSL

Which doesn't mean I have to immediately run to /usr/lib/ssl/misc and analyze it, right? This is nothing related to Qt, you know.

[dawwin]

I explained commands, which I use to generate keys so You don't have to analyze this script. I don't even want you to do this. I just want to know if I use private key and certificates correctly

[wysota]

I explained commands, which I use to generate keys

No. You listed calls to a perl script that calls *some* openssl commands that do something. Since without looking at CA.pl it is not possible to determine what commands they are it is not possible to say whether what you are doing is what you should do.

I just want to know if I use private key and certificates correctly

No idea, ask on an OpenSSL forum. The SSL handshake is done by OpenSSL and not Qt, this is really nothing related to Qt. Qt just passes the data you provide to the underlying SSL layer. I would say that if it works, it is fine. You don't have any security here anyway as you're using a self-signed certificate so this doesn't really matter, you just want the handshake to succeed. Only that you have a chance to deliver your CA certificate using some safe channel to your clients and if they install it as a trusted certificate and verify it when starting the connection it will be ok. But that's of course also nothing related to Qt...