Re: Being my own CA
From: Richard Hunt (richard.2002.munged_at_no.sp.am.attbi.not.net)
Date: Thu, 01 May 2003 02:16:38 GMT
-----BEGIN PGP SIGNED MESSAGE-----
"Adam Griffiths" <email@example.com> wrote in message
> If a Certificate Authority like Verisign or Thawte were to issue me
> with a certificate for my domain www.mydomain.com, intended to be
> used for SSL. What is to stop me using that certificate to issue a
> third party with a certificate for their domain
> www.theirdomain.com? Or say for example I own several domains; I
> could pay a CA for a certificate for one and then use that
> certificate to create certificates for my other domains.
> This is not exactly what I'm interested but having spent the day
> learning about RSA, SSL and Certificates this is the first question
> I can't find an answer to. Can anyone answer it?
maybe: your certificate would *Not* be in anyone's trusted root
certificate store; Verisign's would be, but yours would not, so (I
think) that any that *you* signed for other people would cause the
browser to pop up with a "not trusted" dialog box.
> Many thanks
> Have I asked the right newsgroup? if not where might a better place
> to post this question be?
here is a newsserver for an independent group of people interested in
these very questions. Add a news account to the server hosted by
Securecomp.org (it is a private NNTP server that allows connections)
and subscribe to the group
Not too long ago, Ridge Cook provided OpenSSL (DOS) batch files which
allowed creating root (CA) and subsequent user X.509 certificates.
Just last week, David Howe provided a VBS script which will create
root (CA) and subsequent user X.509 certificates. Both of these
solutions work, but are "rough" around the edges compared to say,
commercial software. However, they do correctly produce the proper
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
-----END PGP SIGNATURE-----