Comment 5 for bug 551811

buzzdee (sebastia) wrote :

> I think it first should be tried to improve the interface so that less explanation is needed.
Yes, but Certificate handling/management was never easy to explain ;)

The easiest thing is to put a horizontal line between the TLS certfile/keyfile and the TLS CA file to separate those options, and put a meaningful headline in each of the section.

Some additional questions:
* Did you already tried the jabber.org certificate?
No, I was unable to register, via web and via using coccinella/pidgin, got an error, but you may try to use the certificate file I appended here.

* What if a user has multiple profiles with different servers? Is it possible to use the same certificate(s) for all servers?
Yes, it is all certificates can be stuffed into the same TLS CA file like I did, I put the certificate chain for StartSSL, CAcert and Equifax into one file, and coccinella is able to verify all three kinds of server certificates. See appended file. So we could add this file to coccinella and install it together with Coccinella and make it the default TLS CA file.

* What is the difference between the TLS certificate and TLS key? Do you need both?
Yes, both are needed, its public key cryptography ;) The TLS key is the private part, and need to be kept secret, the TLS certificate is the public part, and is sent to the server. And in case the server knows about the certificate that signed the client certificate, the server will be able to verify authenticity of the client certificate.