Hi
"Jim A." wrote:
>
> When I attempted to create the key, I was NEVER prompted for a CN or
> any other information at all other than what I supplied on the command line.
>
> With that in mind, I thought that the CN was being pulled from another file
> somewhere. I hope that clears that up =)
>
> More than likely user-error, back to RTFM again =)
If they're specified in your ssleay.conf as non-overideable then they
will be used, but the default doesn't. I tried the following on my
machine (in this order):
1) openssl genrsa -out key.pem 512
2) openssl req -new -key key.pem -out req.pem
3) openssl req -new -key key.pem -out cert.pem -x509
both 2) and 3) asked me for country, county, city, organisation, dept,
common name, email addr, challange password and challenge email (the
difference 2 generates something to send to your CA, 3 self-signs the
key).
Erm, perhaps it's a config error?
> If I become my own CA, can I assign certs to individual (ip based) virtual
> domains that I host using OpenSA Apache (or any other Apache for that matter).
>
> Basically, I want to establish me as a small CA, by letting the domains that I
> host have their own server cert. It's not the best practise, but effective.
If you're a CA you can assign certs of whatever common name you like.
As long as your CA cert is accepted by either the user or browser, and
the common name matches the domain (or machine name + domain), then it
will be accepted.
Your CA key will probably have the CA name as a common name - no machine
name is required. Only SSL certs need to have common name set to the
machine name.
I'm currently setting up my not-for-profit CA, which is why I use
OpenSSL. The plan is my secure server can do the key issue, like
Thawte's FreeMail system.
Regards,
Luke
