NetTalk Central

Author Topic: How to use certificates to read a SSL page?  (Read 12021 times)

Alberto

  • Hero Member
  • *****
  • Posts: 1873
    • MSN Messenger - alberto-michelis@hotmail.com
    • View Profile
    • ARMi software solutions
    • Email
How to use certificates to read a SSL page?
« on: November 26, 2010, 10:49:18 AM »
Hi, Im with a serious problem.
I need to comunicate with a Web Service, they gave me two certificates (.cer) , one is CA and I cant open a single https page to check it.
I´ve tried it with Firefox and it opens the page ok but trying with the demo app its imposible.
Anyone knows how to deal with certificates?
The NT docs are so vague on it and I dont understand what to do.
Whats the difference betwen use a .cer /.key files and only use a CA file?
What does
DontVerifyRemoteCertificateCommonName and
DontVerifyRemoteCertificateWithCARoot
means and how to use this switches ?
Thanks in advance.
Alberto
-----------
Regards
Alberto

Flint G

  • Jr. Member
  • **
  • Posts: 55
    • View Profile
    • Email
Re: How to use certificates to read a SSL page?
« Reply #1 on: March 15, 2011, 09:30:44 AM »
Alberto, et. al.

This thread may be helpful: http://www.nettalkcentral.com/index.php?option=com_smf&Itemid=36&topic=1936.0

> > I need to comunicate with a Web Service, they gave me two certificates (.cer) , one is CA and I cant open a single > > > https page to check it.
> > I´ve tried it with Firefox and it opens the page ok but trying with the demo app its imposible.
> > Anyone knows how to deal with certificates?

You could take the CA certificate they provided and add it to your CA_Roots.pem file to ensure that your app will recognize all certificates signed by that CA.  See the above-mentioned thread.

> > Whats the difference betwen use a .cer /.key files and only use a CA file?

The .key and .crt files are a pair that work together.  The *.key file is used to generate the unique signature of the certificate, and is used to generate the certificate sign request (CSR).  This file should _NEVER_ leave the server.  Anyone that gets hold of this file could duplicate your certificate and produce a fake used to do any number of unmentionable things.

The *.crt file is the certificate, signed by a Certification Authority (CA) who has verified to some extent the authenticity of the CSR & application.  This is the public-facing component of the system.  This certificate is passed to the browser or application and used as a basis for encrypting the communication.  It's ok for this file to travel from place to place and be handed out at with your application/site.

Likewise, there is a *.key file associated with the CA's *.crt file used to sign any other certificate.  It would be especially bad if the CA.key and CA.crt saw the light of day together unsupervised.  The CA.crt file is imported into a browser's store (or, in the case of an application, some file that has aggregated CA root certificates, like the CA_Roots.pem file for NetTalk) and the browser trusts any certificate signed using that key-chain.

> > What does
> > DontVerifyRemoteCertificateCommonName and
> > DontVerifyRemoteCertificateWithCARoot
> > means and how to use this switches ?

The "DontVerifyRemoteCertificateCommonName" property tells NetTalk to verify the server's name with the address it was looking for.  If it doesn't match, there's a problem.  I would leave this on for most cases, as this verification is sort of the whole point of an SSL certificate.  The "DontVerifyRemoteCertificateWithCARoot" property tells NetTalk to look in the CA_Roots.pem file for the signer of the certificate.  If it can't find it, there's a problem.  This could be turned off if you are confident you are always connecting to the right server.  However, I would refer you again to the other thread mentioned above.


Hope this helps!

Regards,
Flint
NetTalk: 12.26
Clarion: 9.1.11529
Brave: 1.31.88
Chrome: 95.0.4638.69
Edge: 95.0.1020.44
ExtJS: 7.0.0.156