> Hi everybody,
>
> I hear about several methods for server's certificate creation.
> - one of them (through CA.pl) creates a root CA and then the server's
> certificate
> - an another one creates a root CA, then a server CA and finally the
> server's certificate.
> Why are there three stages? Is it useful? What is the best or the
> recommended method?
> Thanks a lot for your advices.
The advantage of the second scheme is that the server operators can
revoke
their keys if they are compromised and replace them with new ones any time
they want to. The disadvantage is that there is no supported, reliable
scheme to limit the server CA's authority, so the root CA would have to
trust the server CA, in which case why not just have the root CA do it all?
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
