Re: How can I act as a Certificate Authority (CA) with openssl ??

From: Joachim Ring (jring_at_web.de)
Date: 09/30/04

Next message: Joe Peschel: "Re: exploring the use of manual encryption of passwords (newbie)"
Previous message: Randy Howard: "Re: Any truth to rumor that NSA had Public Key Crypto first?"
In reply to: Dr. David Kirkby: "How can I act as a Certificate Authority (CA) with openssl ??"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 29 Sep 2004 16:04:20 -0700

> but there is no mention of what processes the CA will use to sign it -
> there is mention of the file ca.txt, but that does not seem to exist.
> I assume the CA will need to generate public and private keys for
> themselves, then sign your certificate (cert.scr in the above
> example), but what is the exact process? Can anyone give me some
> openssl commands that will do it?
>
> I want to create certificates for Apache 2.x.

try http://www.modssl.org/docs/2.8/ssl_faq.html#ToC29
the process is the same for apache2 or in fact anything that uses x509
certificates in PEM format.

if you want to delve into the depths of it you might want to have a
closer look at the docs for openssl ca module under

http://www.openssl.org/docs/apps/ca.html#

the general process to set up a ca is to generate key pair, generate
self-signed ca certificate, store private key in a very safe place,
distribute ca certificate to anybody to trust your ca (ideally by
convincing browser manufacturers to put it into their products by
default), sign certificate requests and keep good track of all certs
issued.
if a cert needs to be revoked, a new revocation list should be
published on the locations which _should_ be mentioned under CRL
distribution points in the ca cert asap.

joachim

Next message: Joe Peschel: "Re: exploring the use of manual encryption of passwords (newbie)"
Previous message: Randy Howard: "Re: Any truth to rumor that NSA had Public Key Crypto first?"
In reply to: Dr. David Kirkby: "How can I act as a Certificate Authority (CA) with openssl ??"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: ADFS Token-signing Certs Not in Trusted Root Store
... This is good info, Joe. ... So now I know that the token-signing certificate is ... Get a signing cert from a CA ... case, you never have to worry about expiration or CRL checking, as your cert ...
(microsoft.public.windows.server.active_directory)
Re: Issues with SSL on Win CE 5.0
... the HKCU certificate store. ... and tell the web server to use it. ... The old cert was in. ...
(microsoft.public.windowsce.embedded)
Re: Accessing certificate store from ASP.NET web project
... the cert must be in the local computer/personal) store - it will then open ... Have a look at the source code to open the right cert store... ... One of the locations requires a x509 certificate in order ... different user context than my vb.net web project. ...
(microsoft.public.dotnet.security)
Re: Web Certificate for IIS Server on SBS Domain
... Before your reply, I actually ran across rapidssl myself, and have ordered and installed the free 30-day certificate on my site. ... I explained what you'd told me about putting my existing configuration at risk by installing Cert Services, and he said he didn't know that. ... Again, if you're just needing a cert to install on your web server to provide SSL connectivity for remote users, go with an external third-party provider. ... When you add Certificate Services on an internal network, lots of internal communications will start using pieces provided by the Cert Server instead of the defaults from Server 2003, and when things blow up, they can blow up gloriously. ...
(microsoft.public.windows.server.sbs)
Re: Dummies Guide for RADIUS/Certs
... I have set up IAS. ... client computers impacts certificate enrollment. ... configure Group Policy for domain member wireless clients so ... Cert Templates that is now enrolled on the IAS server. ...
(microsoft.public.internet.radius)