Re: Error signing certificates with my own CA... Configuration file?
Hi Chris: Although it sounds a bit overkill for what you are looking for, as part of our CertiPath Test CA using OpenSSL Howto, a goodly portion of the various settings and possible configurations of the parameters are explained, and scripts are also provided for generation of a number of different kinds of certificates. It can be found at: http://www.carillon.ca/library/openssl_testca_howto_1.3.pdf Have fun. Patrick. On 2010-09-28, at 11:05 AM, Chris Rider wrote: Not discouraged at all (just short on time trying to meet a deadline). I'll check out TinyCA (and the like) in the meantime, but actually do hope to delve into the source and figure out those directives when I get some time. I do appreciate your time and attention!! On 09/28/2010 09:41 AM, Mark H. Wood wrote: I don't want to discourage you from learning the details yourself, but you may want to look at some wrapper software that is already worked out and takes care of these things for you. For example, I usually find TinyCA adequate to my minuscule certificate-processing needs. Even if you decide not to use such a tool, you may learn some useful things by studying the code. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org --- Patrick Patterson President and Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca tel: +1 514 485 0789 mobile: +1 514 994 8699 fax: +1 450 424 9559 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Error signing certificates with my own CA... Configuration file?
I don't want to discourage you from learning the details yourself, but you may want to look at some wrapper software that is already worked out and takes care of these things for you. For example, I usually find TinyCA adequate to my minuscule certificate-processing needs. Even if you decide not to use such a tool, you may learn some useful things by studying the code. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Balance your desire for bells and whistles with the reality that only a little more than 2 percent of world population has broadband. -- Ledford and Tyler, _Google Analytics 2.0_ pgpUFiBawtbrY.pgp Description: PGP signature
Re: Error signing certificates with my own CA... Configuration file?
Not discouraged at all (just short on time trying to meet a deadline). I'll check out TinyCA (and the like) in the meantime, but actually do hope to delve into the source and figure out those directives when I get some time. I do appreciate your time and attention!! On 09/28/2010 09:41 AM, Mark H. Wood wrote: I don't want to discourage you from learning the details yourself, but you may want to look at some wrapper software that is already worked out and takes care of these things for you. For example, I usually find TinyCA adequate to my minuscule certificate-processing needs. Even if you decide not to use such a tool, you may learn some useful things by studying the code. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Error signing certificates with my own CA... Configuration file?
I've found the alternative to self-signing (namely signing with your own CA) to be a potentially great path for the web application that we develop; however I can't quite figure out how exactly to tweak the configuration file to get what I want. It is hard (impossible?) to find any detailed information about each of the directives in that file. Basically, I've successfully(?) created my own CA (the certificate is able to be installed automatically as trusted root, and everything), but when I go to sign or use a server certificate (for the end-user) using that, I get problems. In order to attempt all this voodoo, I've basically created two separate directories (one for my CA and another for my end-user certificates)... each containing their own directory structure (private, certs, etc.) and their own openssl config files. Is this the right approach, first of all? I assume since the CA has its own unique configuration directives (e.g. CA=True), the end-user cert should be different... right? So, first, I want to make sure I am creating the CA keys properly Can someone provide a list of configuration directives (or link to them) that are necessary for a CA in my type of situation? I at least know CA=True and keyUsage needs to include certSign (many thanks to Patrick!)... but what, if anything, else? Then, same for the end-user certificates... anything special there? Thanks! Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org