Hej Thiago, > Whether they work or not is irrelevant, since you shouldn't be shipping the > same certificate to all users. You'd have to make it extremely long-lived > (expiry 20 years from now). Generating a short-lived one (3 months) limits > the > damage if it somehow gets misused.
just to avoid misunderstandings: The goal is not sending existing certificates as part of the application download but rather generate the certificte automatically upon launching the app ? > There are lots of examples on the Internet on how to do this with the openssl > command. You'll have to find out how to do it with the API, if you don't want > to ship the command. If my assumption above is right then any kind of automized process would be fine to me - e.g. running the openssl command as part of a script, which is executed before launching the application or probably generate the certificate within the app code which would be even more convenient. Is this somehow the right track or am I completely mistaken ? Sorry again - completely new in the domain of security ;-) Best Alex > 1) create a private/public key pair (usually RSA, but doesn't need to be). > Creating a private key usually involves random number, so please be sure that > OpenSSL's random generator is properly seeded, if it can't be guaranteed to > auto-seed. Qt's QRandomGenerator::system() is of cryptographic quality and > requires no seeding[*], so you can use it to generate random data to seed > OpenSSL if necessary. RSA key pairs are usually big these days (2048 to 4096 > bits), so you may want to investigate an elliptic curve key instead, which > would reduce the computation time. > > 2) create a certificate-signing request (CSR), which contains the certificate > header fields. Notably, it has the CN (Common Name) field, which identifies > which hostnames it applies for. You want "localhost" > > 3) sign the CSR. You'll sign with the key used in #1, causing this to be self- > signed. The result is the certificate. > > There are lots of examples on the Internet on how to do this with the openssl > command. You'll have to find out how to do it with the API, if you don't want > to ship the command. > > For anyone wondering about turning off the SSL error on self-signed > certificates: self-signing isn't inherently bad. The SSL error comes not > because the certificate is self-signed, but because it's not signed by any > certificate in the Certificate Authority list. The fact it's self-signed is > simply extra information, as it's the most common cause of an authority not > being found. But if you add the certificate itself to the CA list (in fact, > make it the only entry!), then it'll match to a CA and you get no SSL error. > > [*] this is also why René is having problems with the RDRAND instruction in > the other thread. > -- > Thiago Macieira - thiago.macieira (AT) intel.com > Software Architect - Intel DPG Cloud Engineering > > > > _______________________________________________ > Interest mailing list > Interest@qt-project.org > https://lists.qt-project.org/listinfo/interest > _______________________________________________ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest
