> From: owner-openssl-us...@openssl.org On Behalf Of Ariel > Sent: Thursday, 21 October, 2010 16:34
> On Thu, Oct 21, 2010 at 12:44 AM, sandeep kiran p <sandeepkir...@gmail.com> wrote: > mydomain.com.crt is an End-Entity certificate and not a CA cert. <snip> > So basically you mean that I can't use "mydomain.com.crt" to sign and issue > new certificates for my clients? I thought I can using the bundle or intermediate > one they provided to me. Sorry for my ignorance but I don't know too much > how does it work and this is annoying to me :S > I only want to generate and issue new certificates that my clients can install > in their browsers and then provide it to me (SSL Client certificate) when they come > to my site. Is this possible without having to create a self-sign CA cert that causes > browsers to not recognize it as a valid CA? Can I provide a trusted chained root > with the certificates I'm trying to issue? > [sandeep?] So you either need to get a CA cert from GoDaddy or setup a test CA > on your own using OpenSSL. GoDaddy, I am sure would not provide you with a CA > certificate as that would then empower you to <snip rest> Do as sandeep said. Create your own private CA with OpenSSL. You issue certs to clients (who request them) and set your server(s) to trust your private root and thus the certs presented by the clients. Your server presents the cert issued to it under a real CA which the clients trust. The only tricky bit is if your clients need to authenticate themselves to some *other* server(s) besides yours. Then they need to be able to select 'key/cert for Ariel' versus other, perhaps public, key/cert(s). Your server should do SSL_[CTX_]set_client_CA_list to your private root; this will send a 'hint' to the client which cert to present -- although it's up to the client to actually obey this hint, it's not required to. Plus of course you need to ensure that the people/machines you issue certs to are in fact the ones you want as clients. Although if you make a mistake, you can issue your own CRL(s) which your server checks. (And if it's convenient to put your CA on the same machine as your server, this greatly simplifies the CRL distribution procedure. <G?>) ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
