Hi Kyle,
Thanks for your help. Yes, I found the CA.pl in my open ssl
distribution. Also I found some useful information in the following URL.
*
http://security.leisink.org/openssl*
Thanks for your security concern about world.png. I understand, I'll use
the /dev/random instead of using world.png. We are planning to leave
creation of CA root certificate & user certificate to our customers. So,
they can create it with their security levels. I am going to use this
certificates for testing purpose. It'll not be part in the production.
Thanks,
Ramesh
Kyle Hamilton wrote:
In your OpenSSL distribution, you should have gotten a script called
either CA.pl or CA.sh. They automate the steps necessary to create a
CA and to sign certificates with that CA. (It should be noted that it
is NOT intended to do everything an actual CA needs to do, it is quite
possibly the most minimal CA software in existence.)
I should point out that you really do not want to use the same
'world.png' file to seed the random number generator. If security is
a financial concern, you should have your clients themselves generate
the keys, and submit the CSRs. The way to do this depends on the
browser, unfortunately, and it might be that it's not something that
you can support. Alternatively, you can try using /dev/random or
/dev/urandom (semantics being that one blocks when the estimated
amount of entropy is low, the other continues generating low-entropy
pseudorandom numbers even in that case and never blocks) if your
platform supports them.
-Kyle H
On Mon, Jul 14, 2008 at 11:45 PM, rameshj <[EMAIL PROTECTED]> wrote:
Hi,
I am new to Open SSL. I need to configure my application server with client
authentication(user based certificate authentication). To achieve this, I
have configured my tomcat server.xml with clientAuth="true". Currently I
have created a client certificate and added it into both in my application
as well as browser.
I have used the following commands to create certificates,
*openssl genrsa -rand world.png -out ./output/ClientKey.key 1024
* openssl req -new -key ./output/ClientKey.key -out
./output/ClientCsr.csr -config openssl.cnf
* openssl x509 -req -days 999999 -in ./output/ClientCsr.csr -signkey
./output/ClientKey.key -out ./output/ClientCer.cer [ I have imported the
generated ClientCer.cer into my application server trustore ].
* openssl pkcs12 -export -clcerts -in ./output/ClientCer.cer -inkey
./output/ClientKey.key -out ./output/rameshj.p12 -name "rameshj" [ I have
imported the generated rameshj.p12 into my browser ].
It is working perfectly. But here I require to import all the user specific
(common name) in the server as well as browsers. In other words, if my
application supports 1000 users, then I need to import all the 1000
certificates to my server application trustore file. Due to scalability
point of view, here I am planning to import just only one root certificate
into my server application and 1000 users certificates will be imported into
1000 different user m/c browsers. But I don't know how to generate root
certificate and other 1000 user certificates using openssl command. Can you
please help me to generate root certificate as well as user certificate ?
Thanks in advance for your help.
Regards,
Ramesh
--
View this message in context:
http://www.nabble.com/Help-on-creating-root-certificate.-tp18458611p18458611.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
