Hello all,
I'm a newbie in ssl and certificates and I need some explanation about
(I've already red manuals and howtos but still too dark for me) :
On debian,
* To generate a self-signed certificate, I use these commands :
/usr/lib/ssl/misc/CA.sh -newca
openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
/usr/lib/ssl/misc/CA.sh -sign
Files resulting of these operations are demoCA/cacert.pem
demoCA/private/cakey.pem, newreq.pem, newcert.pem
Questions : These commands are they sufficient and good ?
To generate other certificates on the same host,
should I execute again (and use the demoCA):
openssl req -newkey rsa:1024 -nodes -keyout
newreq.pem -out newreq.pem
/usr/lib/ssl/misc/CA.sh -sign
in the same directory ?
Self signed certificates, even if they are not signed
by an official CA, provide a good security level for TLS communications ?
Can I obtain official and free certificates ?
To finish, the recurrent issue (sorry), but in a real case :
I've got to servers with mail servers and openldap (both in a lan
but not in the same site) and I want to replicate openldap db using TLS.
machine 1 name : server1.domain.com
machine 2 name: server2 (no domain name)
theses machines have no entry in dns (like ldap.domain.com).
During CA creation, what Common Name should I provide on each host ?
During selfsigned certificates creation, what Common Name should I
provide on each host ?
Should I use the same CA for both certificates ?
If someone could answer simply and clearly, it could be helpful.
Thx.
Max
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
