[cvsnt] sserver with self-signed certificates

Charles Oram charlesoram at hotmail.com
Tue Mar 14 20:04:09 GMT 2006

Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.

Tony wrote:

>Charles Oram wrote:
>>So if I install the user's self-signed certificate on the server, isn't 
>>that just giving the server the user's public key so that the server can 
>>authenticate the user? OK, I don't have the full chain of trust that you 
>>have with signed certificates, but you need more than a username and 
>>password to login to CVS then.
>That's not how SSL works - you create a local CA, then issue certificates 
>from that CA to your clients.  The server then knows it can trust the 
>certificate as it was issued from its own (trusted) CA.  You'd have to 
>issue the ca.pem for your local CA of course...
>This not only allows you to control which clients can connect, but you can 
>control things like the expiration date and revoke old clients easily.
>I know of no implementations that work as you suggest - the whole point of 
>signing is you don't need huge databases of valid clients.. you'd end  up 
>with login time sucking as it'd have to compare every public key it knew 
>about with the supplied one (that's even if it's possible to implement such 
>a scheme in SSL.. you might not be able to get the presented keys & convert 
>them into a useful format anyway).

OK, but is the server certificate that was generated with genkey is 
self-signed? Can I just make my own client certifcates that are signed with 
the server private key? And if so, how do you do it - can I just use the 
openssl tools?
Thanks for your help.


Read the latest Hollywood gossip  @  http://xtramsn.co.nz/entertainment

More information about the cvsnt mailing list
Download the latest CVSNT, TortosieCVS, WinCVS etc. for Windows 8 etc.
@CVSNT on Twitter   CVSNT on Facebook