Article: Introducing SSL and Certificates using SSLeay
Introducing SSL and Certificates using SSLeay
was originally published in
Web Security: A Matter of Trust, the World Wide Web Journal,
Volume 2, Issue 3, Summer 1997. The author,Frederick Hirsch, was at
the Open Group Research Institute at the time. It is available in
online form here.
This article was also used as the basis,
with revision by Ralph Engelschall, as
introductory information for the Apache web server
Since the article was published, some changes have occured in browser
technology, simplifing the process. Some corrections have also been noted.
Since the article was written is has become much easier to
import client certificates into a browser, eliminating much of the
function. Both Netscape Navigator and Internet Explorer support
directly importing certificates.
In Internet Explorer (e.g. 5.0), the certificate import wizard may
be accessed by selecting the Internet Options menu item in the
Tools menu, then selecting the content tab and pushing
the certificates button in the certificates section. This
brings up the Certificate Manager pane. Pushing the import
button starts the import wizard which allows importing a single client
certificate stored in a single file at one time, in one of the
- PKCS#12 format
- CMS standard PKCS#7 format
- Microsoft Serialized Certificate Store format
Netscape Navigator (e.g. 4.5) supports a similar facility. Selecting
the Tools menu item in the Communicator menu, and then
the Security Info menu item in the side menu causes the
Security Info pane to appear. Clicking on the Yours link in the
Certificates section causes the import pane to appear. Pushing
the Import a Certificate button makes it possible to import a
client certificate stored in PKCS#12 format in a file.
Ralph Engelschall mentioned the following corrections:
- The article should refer to TLS 1.0, not "TLS 2.0".
The misunderstanding was due to the document being revision 2, not
that the protocol is at that revision (tls-xxxxx-02.txt)
- The CN of a DN is only a wildcard pattern, not a regular
The example has to match the term: it's *.xxx.dom and for a regex it
has to be at least .*.xxx.dom. But because it's a pattern *.xxx.dom
was correct. Only the term "regular expression" was not
- There is once the typo "Transaction Layer Security", it
should be "Transport Layer Security".
- RSA refers to both algorithm and company, depending on the context.
"RSA DSI" should be used to refer to the official name of
- "NULL encryption" should be "Null
- "Browser client" can be just "browser", since
client is implicit in the context of the web.
Please send additional comments or corrections to firstname.lastname@example.org.