In your OpenSSL distribution, you should have gotten a script called either CA.pl or CA.sh. They automate the steps necessary to create a CA and to sign certificates with that CA. (It should be noted that it is NOT intended to do everything an actual CA needs to do, it is quite possibly the most minimal CA software in existence.)
I should point out that you really do not want to use the same 'world.png' file to seed the random number generator. If security is a financial concern, you should have your clients themselves generate the keys, and submit the CSRs. The way to do this depends on the browser, unfortunately, and it might be that it's not something that you can support. Alternatively, you can try using /dev/random or /dev/urandom (semantics being that one blocks when the estimated amount of entropy is low, the other continues generating low-entropy pseudorandom numbers even in that case and never blocks) if your platform supports them. -Kyle H On Mon, Jul 14, 2008 at 11:45 PM, rameshj <[EMAIL PROTECTED]> wrote: > > Hi, > > I am new to Open SSL. I need to configure my application server with client > authentication(user based certificate authentication). To achieve this, I > have configured my tomcat server.xml with clientAuth="true". Currently I > have created a client certificate and added it into both in my application > as well as browser. > I have used the following commands to create certificates, > > *openssl genrsa -rand world.png -out ./output/ClientKey.key 1024 > * openssl req -new -key ./output/ClientKey.key -out > ./output/ClientCsr.csr -config openssl.cnf > * openssl x509 -req -days 999999 -in ./output/ClientCsr.csr -signkey > ./output/ClientKey.key -out ./output/ClientCer.cer [ I have imported the > generated ClientCer.cer into my application server trustore ]. > * openssl pkcs12 -export -clcerts -in ./output/ClientCer.cer -inkey > ./output/ClientKey.key -out ./output/rameshj.p12 -name "rameshj" [ I have > imported the generated rameshj.p12 into my browser ]. > > > It is working perfectly. But here I require to import all the user specific > (common name) in the server as well as browsers. In other words, if my > application supports 1000 users, then I need to import all the 1000 > certificates to my server application trustore file. Due to scalability > point of view, here I am planning to import just only one root certificate > into my server application and 1000 users certificates will be imported into > 1000 different user m/c browsers. But I don't know how to generate root > certificate and other 1000 user certificates using openssl command. Can you > please help me to generate root certificate as well as user certificate ? > Thanks in advance for your help. > > Regards, > Ramesh > -- > View this message in context: > http://www.nabble.com/Help-on-creating-root-certificate.-tp18458611p18458611.html > Sent from the OpenSSL - User mailing list archive at Nabble.com. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
