saz has asked for the wisdom of the Perl Monks concerning the following question:

I have a question about certificates. I have some basic code that logs into a website and should retrieve some basic pages. I know that the server is expecting a certificate to be sent back.... where do I get the certificate from? I know there are ways you can create fake ones etc... but how do I get a real one that will really work logging into the site... Also it seems that all the examples I see only send the certificate once. When and how do I really have to send this certificate? On every page request? Is there a module or routines that do the same for certificates that $ua->cookie_jar(HTTP::Cookies->new()); does for cookies... automatically does the communications for every get etc...?

Replies are listed 'Best First'.
Re: Certificates...
by Pug (Monk) on Mar 17, 2003 at 20:49 UTC
    Is the web server you are tring to connect to doing Client Auth. SSL?

    If it is doing Client Auth then you need to know what conditions the server has to accept the client auth. SSL before you can make the certificate and try to login to the site. Once you have the certificate you can use the LWP after you install a few moduals (do a super search for their names) and make $ENV{HTTPS_CERT_FILE} and $ENV{HTTPS_KEY_FILE} point to the right files

    If the server is doing normal SSL you can use the Normal LWP stuff after you install a few CPAN moduals (The same super search from above should point you in the direction for that.)

    --
    Pug

[reply]
      Thanks.... that is what I needed to know.... LWP will handle all the transaction stuff once I set those environment variables. Now the only question is 'WHERE DO I GET THESE FILES FROM?' Thank you Pug.
[reply]
        Saz,

        No problem.
        As for getting the certificates.. Talk to the webmaster. Sorry not a perl or techincal issue. I really can't help on this. 8)
        --
        Pug

[reply]
        It depends. You may need one from a commercial CA e.g thawte or from a CA associated with the site. Check with the site admin as Pug suggested.

        --traveler

[reply]
Re: Certificates...
by sauoq (Abbot) on Mar 17, 2003 at 20:54 UTC
    I know that the server is expecting a certificate to be sent back....

    You've got it a little backward. If it is a "secure server" (in other words, one that handles SSL,) then the server will have a certificate installed. The certificate will be signed by a "certificate authority" or CA. The CA will either be a known and generally trusted third party such as Verisign or Thawte or it could be an unknown such as the company that owns the server itself.

    You could theoretically have an encrypted conversation with a server without requiring a certificate at all. The problem is that you wouldn't know the server was really the server you wanted to communicate with, and that's not very secure afterall, is it? The certificate essentially says, "this is really www.example.com." Since servers don't usually care who is talking to them, there is no reason to try to verify it the other way around. That's why you, as the client, probably don't need a certificate. (There are rare exceptions to this.) That's also why locally signed certificates shouldn't be used for anything but testing (or internal to an organization.)

    LWP works just fine with SSL as long as you have configured it to when compiling and have the proper libraries. Read the documentation for more information.

    Update: If you are really in a situation where client authentication is required, then you should ask the owner of the server what the requirements are. Depending on the CA(s) that that the server trusts you may have to be issued one or you may have to purchase one.

    -sauoq
"My two cents aren't worth a dime.";
[reply]

      Actually it does work both ways, you can use a certificate that identifies the browser rather than the server to do client authentication.

      We're not surrounded, we're in a target-rich environment!
[reply]

Back to Seekers of Perl Wisdom