i don't know whether the third step you did is correct.
you can get the request signed by using opesssl ca utility(just like openssl 
req)
even after that your netscape will say untrusted certificate because how  will 
netscape know that the CA which issued the certificate to your web server is 
trustworthy? so you have to include the self signed certificate of your CA
(which issued certificate to your web server, openssl ca utility) in trusted CA 
list of netscape and the it should work fine

creating a self signed certificate is possible with openssl req command
actually you can do first two of your steps using one openssl req command

rakesh


---- Original message ----
>Date: Tue, 10 Sep 2002 10:12:12 +0800
>From: "zhaoxd" <[EMAIL PROTECTED]>  
>Subject: how to generate authoritive CA  
>To: <[EMAIL PROTECTED]>
>
>   hello,everybody:
>    
>     When I constructed my web station through apache,I met with some
>   problems.
>     
>     I made the CA Certificate by myself,and issued a server.crt for my
>   web server using this CA,but I found an unexpected warning happened
>   when I tried to connect my apache server through
>   MSIE&netscape.There is a warning message which says my certificate is
>   not issued by Trusted CA.
>    
>     I think the CA generated by myself must be have some problems.My
>   question is:can guys make CA by themselves?
>    
>     If so,the steps I generate my CA are:
>    
>       1.create a RSA private key for my CA:
>           $openssl genrsa -des3 -out ca.key 1024
>       2.create a self-signed CA Certificate (X509 structure) with the
>   RSA key of the CA.
>           $openssl req -new -x509 -day 365 -key ca.key -out ca.crt
>       3.sign the certificate of my server using sign.sh provided by
>   mod_ssl/pkg.contrib/
>           $sign.sh server.csr
>       Then I got my server.crt issued by my CA Certificate.
>      
>      Is there any problems during the process I generate CA?
>    
>   Any help are appreciated!:)
>                                           zhaoxd
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to