Hello Jakob On Monday 25 August 2008 08:51:42 Jakob Grießmann wrote: > Hello, > > does anyone have a howto on how to generate a self-signed extended > validation certificate, or on how to set-up my own CA for local use > that gives out EVN certificates? > > I know how to do this for normal certificates, but was unable to find > more details on extended validation certificates...
I take it what you are really shooting for is the fancy "make the location bar go green, and display the company name" in a browser. Unfortunately, from my understanding, that's not possible (and that's what make EVSSL certs actually worth something). From my understanding, what tells the browser to give all of those visual clues to the user that EVSSL certs convey is as follows: 1: The Certificate is signed by an EVSSL provider, as certified by the CA/Browser forum. (The CA have to pass an audit showing they conform to the EVSSL Certificate policy, and submit the results to the browser writers) 2: The Certificate asserts one of the EV/SSL Certificate Policy OIDs from one of those CAs 3: The Certificate contains the correctly formatted DN as per the Certificate Policy promulgated by the CA/Browser forum. So, you COULD produce a certificate that has the correctly formatted DN in it, but aside from that, you're pretty much stuck, I'm afraid, unless you were to completely replace one of the EVSSL Certificate providers root CA certificate and all of the intermediate chains in the browser, and those CA certs were all correctly formatted, and the server certificate was also correctly formatted. And even then I'm not sure that it would work, as I've got no idea if the browsers have some sort of checksum or hash that they compare the CA certificate to. Even if you were to get all of the technical bits correct, and replace the appropriate bits in the browser, I imagine that some CA authority's legal department may want to have a word with you for corporate impersonation. So, no, you can't do this with a self signed certificate, no matter what the toolkit :) Have fun. -- Patrick Patterson Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
