Re: Being my own CA

From: Richard Hunt (richard.2002.munged_at_no.sp.am.attbi.not.net)
Date: 05/01/03


Date: Thu, 01 May 2003 02:16:38 GMT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

"Adam Griffiths" <btnews@adam-griffiths.co.uk> wrote in message
news:b8pq3c$6rd$1@titan.btinternet.com...
> Hi
>
> If a Certificate Authority like Verisign or Thawte were to issue me
> with a certificate for my domain www.mydomain.com, intended to be
> used for SSL. What is to stop me using that certificate to issue a
> third party with a certificate for their domain
> www.theirdomain.com? Or say for example I own several domains; I
> could pay a CA for a certificate for one and then use that
> certificate to create certificates for my other domains.
>
> This is not exactly what I'm interested but having spent the day
> learning about RSA, SSL and Certificates this is the first question
> I can't find an answer to. Can anyone answer it?
>

maybe: your certificate would *Not* be in anyone's trusted root
certificate store; Verisign's would be, but yours would not, so (I
think) that any that *you* signed for other people would cause the
browser to pop up with a "not trusted" dialog box.

> Many thanks
>
> Adam
>
> PS
> Have I asked the right newsgroup? if not where might a better place
> to post this question be?
>
>

here is a newsserver for an independent group of people interested in
these very questions. Add a news account to the server hosted by
Securecomp.org (it is a private NNTP server that allows connections)

        news.Securecomp.org

and subscribe to the group

        WebOfTrust

Not too long ago, Ridge Cook provided OpenSSL (DOS) batch files which
allowed creating root (CA) and subsequent user X.509 certificates.
Just last week, David Howe provided a VBS script which will create
root (CA) and subsequent user X.509 certificates. Both of these
solutions work, but are "rough" around the edges compared to say,
commercial software. However, they do correctly produce the proper
certificates.

Richard

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBPrBwj555AOjdVgeLEQJBIACglAlKXEpcv8uhcm0oWG1mF8fbidMAoK4G
Z+5Tg5cpYJ0ARxAVhkdI6krz
=K4I6
-----END PGP SIGNATURE-----



Relevant Pages

  • Re: Signtool doesnt add entire chain when signing files
    ... you only need to ensure that the intermediate certificates are included in the signature so that the client can build a chain to the root. ... The root needs to be installed as a trusted root certificate on the client in order for the client to trust the certificate. ... Given that you don't have any intermediate certificates, it doesn't matter or not whether they are included in the signature so it should not matter if there is any difference between the wizard mode and the command line tool mode. ...
    (microsoft.public.platformsdk.security)
  • Error
    ... I have your WS 2008 PKI and Certificate Security book. ... These surfaced when trying to publish my root ... CertUtil: A referral was returned from the server. ...
    (microsoft.public.security)
  • Certutil error
    ... After I ran cmd as an administrator it published the CRL and CRT file in the AD without error. ... I have your WS 2008 PKI and Certificate Security book. ... These surfaced when trying to publish my root ... CertUtil: A referral was returned from the server. ...
    (microsoft.public.security)
  • Re: Schannel CertificateChainValidation failing
    ... I am not fully up to speed with certs (root, end entity, ... valid Windows trusted root cert. ... You've enabled certificate revocation checking, and the validation code ...
    (microsoft.public.platformsdk.security)
  • Re: Certificate chain issue with Ent Sub Ca & stand alone Root CA
    ... certificate and I get a "Cannot verify certificate chain. ... revocation because the revocation server was offline. ... the root ca? ... Online>>> Online Enterprise Subordinate CA ...
    (microsoft.public.windows.server.security)