Re: CA and Certificates

Fri, 20 Aug 1999 13:06:14 -0700 

At 04:39 AM 8/19/99 -0400, Patrick Brewer wrote:
>
>      If I get a certificate from a CA can I then become a CA and create
>certificates for machines in my domain?  Or for virtual hosted domains?
>
The certificate you receive is 'branded' to the site name in the request, and
can only be used on the named site. This establishes your traceability for a
'trust' relationship between your server and SSL enabled browsers that ALSO
truse YOUR certificate origin.

Becoming a CA is a different matter, .. involving YOUR issuance of
certificated. IMLK, being a CA has nothing to do WITH getting a certificate
FROM a CA. (What we do is described above.) If you are a CA issuing
certificates, the certificates you issue are installed on the client machines,
and you both have a trust relationship (i.e. the client trusts you, and you
know the client's identity via the certificate you have issued them.)

Each method is completely independent, .. the first involves *MUTUAL* trust of
a public CA, .. the second involved a bi-directional trust between YOUR CA and
identify-proven clients.

>    If so how can I create a certificate at other than compile time?  I gather
>that it is possible to create a certificate using openssl (the command), but I
>can't find it documented anywhere.  (I'm running from a binary RPM, from
>Mandrake.)  I would hate to have to compile a new copy of apache, each time I
>wanted a new certificate.
>
Compile time has nothing to do with it. A self-created certificate is usable in
either case above, though for the first case the client will get a few screens
(four in NN) asking if they trust the issuer of the cert (i.e. you). If so, SSL
is permitted.

>    When I get a real certificate from a CA, can I just copy it over the old
>dummy certificate currently being used by my apache server?
>
Yes, assuming the names match.

        Lee
============================================
   Leland V. Lammert                                [EMAIL PROTECTED]
      Chief Scientist                         Omnitec Corporation
  Network/Internet Consultants              www.omnitec.net
============================================
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to