Stewart Stremler wrote:
Hm. Apparently becoming a CA isn't that hard: it seems that something called
SSLeay has all the programs and scripts you need.
So does OpenSSL.
To create your CA:
openssl req -nodes -config /etc/openssl.conf -days 1825 -x509 -newkey
rsa:2048 -out newca.crt -outform PEM
To sign from your CA:
openssl ca -batch -config /etc/openssl.conf -in newcert.csr -out newcert.crt
To generate a CRL (important!):
openssl ca -config /etc/openssl.conf -gencrl -out newcacrl.crt
To revoke a certificate (requires local copy):
openssl ca -config /etc/openssl.conf -revoke somecert.crt
(then generate the CRL again)
The problem with the CRL stuff is that no clients check to see if
certificates have been revoked by the issuer. Try it: specify a proper
CRL URL in your certificate, revoke the cert, and see what your browser
says. SUCKS!
Anyhow, it's easy to roll your own CA and sign certs from it. It's hard
to revoke them and have it actually matter.
-kelsey
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
