> I'm a newbie in SSL and I need your advice.
> I've just setup an Apache with OpenSSL configured using Mod_SSL.
> I've created my own certificate using the command
> o make certificate TYPE=custom
>
> I am able to start the SSL-enabled Apache.
>
> However, when I try to access the secure site that I've just setup,
> there was this "New Certificate" message.
>
> What is the difference between the certificate I've created and the
> Verisign's commercial certificate ? Which one should I used (under
> what circumstances) ?
Web-browsers have a number of different root CA certificates embeded
in them. You can see the list that Internet Explorer has by looking
at Tools | Internet Options | Content | Certificates | Trusted Root
Certification Authorities.
You'll see that there are certificates from Verisign, Thawte, GTE
Cybertrust and many others. You won't see yours. That's the difference.
The reason this is important is becayse these certificates are used by the
browser when validating a server's certificate.
Your server's self-signed certificate is obviously not signed by one
of these agencies. So the browser warns the user, that the server
they are communicating with isn't trusted at the moment.
In a closed user community you can add your certificate to the list
of trusted certificates on the browser. This is not practical (or
advisable) over an open community like the Internet.
What people are doing when they buy a certificate from a commercial
CA is saying to the user "if you trust the CA, then you can trust me".
Since the major web-browsers come with a default set of CA certificates
this is totally transparent to the user (not necessarily a good thing).
> I read something about the CA certificate, but I don't really know
> what it is used for. Can someone enlighten me please ?
Certificates are used to prove an identity. This process works because
each certificate (which includes the identity of the user) is signed by
an entity. You verify that you trust a certificate by verifying the
signature of the certificate. This is a recursive process: you then need
to verify the signer of the signer of the certificate etc. Eventually you
will arrive at a self-signed certificate. This is the root (or CA)
certificate. You must implicitly trust the CA certificate, because there
is no-one else to vouch for it.
In a browser, this is done by checking against the stored common
"commercial" root CA certificates.
Hope that makes sense.
- Dale.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
