Re: Help with issuing self signed certificates

On 10 דצמבר, 18:27, Doug McIntyre <mer...@xxxxxxxxx> wrote:
Asi <asi....@xxxxxxxxx> writes:
I try to understand something about self signed certificates.
I generate a RSA key using openSSL.
Than I sign the key using the command:
openssl req -new -x509 -nodes -sha -days 365 -key key.pem -out
keyca.pem
my questions please:
1. does the new keyca.pem replaces the original key.pem file in my TLS
Server configuration Or do I need to configure both?
2. How do I make the clients trust my CA? I understand I need to
install the CA's public key for that. How do I create / find it from
openSSL?
This is a test setup, and I have full control on server AND clients
configurations.

You need a bit more setup to utilize this.

OpenSSL comes with a simplistic script CA.sh (there's also a perl
version that exactly the same) that does much of what is needed.

You also need a CA certificate, and a few files here and there for the
simplistic script. Its probably easiest to just to find and run the
script and follow along what it is doing.

As to some of the other points..
A certificate is tied to a key. They go together. A certificate is not
standalone, it requires both parts.

You make your clients trust your CA, by loading the CA's public cert
onto each client's keychain, with whatever method each of your various
platforms may require to do that.

The CA.sh script will create a CA cert/key as well as any server cert/key
that you request.

Ok, I've managed to create both key and certificate.
If both should be configured on the server, what goes to the client?
Also the certificate, or should I extract the public key out of it
somehow..?
.

Relevant Pages

  • Re: Help with issuing self signed certificates
    ... I generate a RSA key using openSSL. ... OpenSSL comes with a simplistic script CA.sh (there's also a perl ... You also need a CA certificate, and a few files here and there for the ... The CA.sh script will create a CA cert/key as well as any server cert/key ...
    (comp.security.misc)
  • E2k7 Zertifikate (CSR mit openSSL signieren)
    ... Auf diesem habe ich eine RootCA und eine ServerCA etabliert. ... Mit New-ExchangeCertificate erzeuge ich jetzt ein Zertifikatsrequest (CSR) und stelle diesen der openSSL Server CA zum signieren bereit. ... certificate = $dir/ServerCA.cert.pem ...
    (microsoft.public.de.exchange)
  • Re: guidance on SSL certs and Apache2
    ... including the fact that the setup is neither automated nor documented ... > it has Kleopatra for certificate management. ... openssl req -new -key server.key -out newreq.pem ... /etc/init.d/apache2 restart ...
    (Debian-User)
  • Re: Pine and CA certificates
    ... Pine is installed in a shared file system; it would have been nice for the CA certificate that signed the IMAP server's certificate to have been there too. ... So, instead of reconfiguring OpenSSL once and being done with it, you instead want to reconfigure every application program that uses OpenSSL? ... You don't want the SSLKEYS directory to be the same as the CA certificate directory, since only a file protection stands between that key and a hacker who could do bad things with it. ... Most people just use the OpenSSL standard CA certificate directory, or they rebuild OpenSSL so that its standard CA certificate directory is what they want it to be. ...
    (comp.mail.pine)
  • 2K3 Cert Svcs gives invalid policy error on OpenSSL gend cert req
    ... OpenSSL-based UNIX SSL client and server and a Windows Server 2003 ... Standard Edition with Certificate Services for the CA. ... The OpenSSL generated ones look like, ... X509v3 Extended Key Usage: ...
    (microsoft.public.windows.server.security)