Hello,Guys I want to know that whether the PKIs on two different platforms (i.e windows and linux) compatible with each other? What I essentially mean is windows uses CryptoAPI(CSP) based approach, where every CSP implements algorithms differently and different CSPs are compatible with each other only upto the verification of digital signatures, and linux definitely doesn't uses CryptoAPI(CSP) architecture. As mentioned even on windows itself only digital signatures can be verified by CSPs other than the one used to generate it. So with all these differences can two hosts, one with windows and one with linux use their certificates to encrypt communication with each other?I have looked hard, but have failed to find an answer to this question.Regards,wakh

It seems that no one is aware of the answer.

wakh,well almost ;-) yes they are... that depends on the CSP in question and you need to find common ground..you can use the RSA CSP in CS and this should work.....for example .... i've used Microsoft Certificate Services to issue certs to Apache (Linux) web servers before via OpenSSL.. you also need to consider encoding.... (the request should be in Base64)...what exactly are you trying to do.. client certifcates?Regards,Mylo

Thanks for input Mylo. That's what I have thought too, that the algorthmic implementation inside a particular CSP and its counterpart on linux side must be same for the certificates to work. As with RSA SChannel CSP on windows, which is a standard implementation on both windows and linux. I was examining webserver certificate template, and noticed that it requires the use of RSA CSP to issue certificates, if any microsoft CSP's are used then the request is denied. It justifies why its so, because if microsoft csp is used to issue certificate to for example Apache on linux then it will not work.Yes I m trying to issue client certificates.Regards,wakhP.S: It seems that I had to bump the thread to get your reply. ;-)

Wakh,NP... I just replied to a post on another thread that you didn't start so we're even ;-)Let me know how you get on...Cheers,Mylo

Yeah sure, will keep you updated. About the other post :-).Best Regards,wakh

OK, I successfully issued webserver certificate to a linux client.

How, if I may ask.Information is the most valuable commodity I know off.

Shems,For non-Windows environments, I suggest you familiarize yourselfwith OpenSSL and Keytool. For web servers (Apache/Tomcat) you need to issue a certificate which has the "Server Authentication" use in the key usage extension. You can duplicate the default web server certificate template and then make changes to this template. You'll need to enable the user to enroll through the security tab on the template. You'll thenneed to add the template in the CA snap-in to make it available for publishing. One final tip... beware of encoding formats ... Apache likes the PEM format while Tomcat likes DER encoding).Regards,Mylo

Hi Wakh,I would separate an evaluation of CSPs fro an discussion of PKI compatibility. The latter term is in my point of view used in the sense of X.509 certificate and request compatibility, but CSPs and middelware deal with access to the privat ekey store. With respect to X-509 stuff I would further distingiuish between issues on enrollment (such as: is a request from a LINUX web server accepted by a Windows CA) and certificate validation (when the cert. has been installed and should be validated by a relying party application). Different PKI platforms can issue compatible certificate and requests. Yo can create a PKCS#10 request at LINUX webserver and send it to a Windows CA which will issue a X.509 certificate that can be successfully installed. You can create a request at a Windows client and send it to a LINUX based CA. You can subordinate CAs running on different platforms to each other.In this respect, compatibility is not a problem as long as all applicatons adhere to X.509 RFCs. CSPs and PKCS#11 middleware however deal with the access of the operating system to a private key. There is PKCS#11 middleware available for both platforms and you are right that CSPs only exist for Windows. Although certificate validation might be built into software called middleware by a vendor, certificate validation should be considered separated from the CSP layer. Validaton is up to the application which is located in a logiocal layer higher than the CSP.There are lots of issues with certificate validation, but this is not only related to the underlying OS bit rather specific to applications (such as browsers, VPN clients, IPsec clients, policies checking code signatures, e-mail clients....). An application my refer to unterlying OD routines when validating cert. chains but it may as well use its proprietory methods.All these issues are in my point of view due to the fact - that the RFC allows for wuite some freedpm in using X.509 extensions- that not even the RFC is followed sometimesI recommend the following article by Peter Guttman on X.509 design and pitfalls- I have found a lot of similar issues also in current implementations:http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txtBest regards,Elke