Hi
"Jim A." wrote:
>
> You did a great job in they reply below - it's almost an FAQ!
Cheers. It seems there's a lack of very clear documentation on
OpenSSL. I learnt from the SSLeay FAQ (I started out with SSLeay, but
it's pretty much the same as OpenSSL as far as I can see).
Oh, last time I made a slight mistake. Before you can use the commands
I gave to make a Certificate Signing Request, or a self-signed key, you
first need to make the private key. The command to do this is:
> The question I have is WHERE do you put one's CN at?
I don't understand. OpenSSL requests it as you create the signing
request IIRC.
> Can the CN be domain.com or does it need to be host.domain.com?
> Can it be *.domain.com as an example?
You're at the mercy of browser behaviour here (what fun!). It's up to
the browser to verify this. I'd have thought it's safest not to, but I
checked www.modssl.org and it says:
A Certificate Authority may define a policy specifying which
distinguished field names are optional, and which are required. It may
also place requirements upon the field contents, as may users of
certificates. As an example, a Netscape browser requires that the Common
Name for a certificate representing a server has a name which matches a
wildcard pattern for the domain name of that server, such as
*.snakeoil.com.
So it's a yes for Netscape anyway. Try making a self-signed certificate
and find out if browsers complain about this (and ignore the messages
about an unrecognised CA). If you're signing your own keys I recommend
you make a CA key and sign keys with that (it's what I do anyway), as
then it's only one key to trust. If you're just trying to load balance
servers you could get the DNS server to do that for you by having it
choose a server and return it, so it's different every time (I've seen a
few large sites do this).
