Hi Ariel, The simple answer to your questions is no. There is no way to workaround this. Others have already explained why.
-- Mounir IDRASSI IDRIX http://www.idrix.fr > Well, I'm trying to do SSL Client Authentication for my website. So I > bought > a wildcard cert from GoDaddy and it works pretty well to enable SSL on my > site. But now I'm trying to use it for SSL Client Auth for my clients. > Then > I'm trying to sign, issue and validate client certificates using the one I > bought to GoDaddy with NO results :( So I'm wondering if it's possible and > if so, how? > > Btw, the cert I got from GoDaddy has "CA:false" in its extensions, does it > mean that I can't use for the purpose I want? Is it possible, in some way, > to create and sign client certificates using the one I got from GoDaddy? > How > can I include or create a chained root certificates in the certificates I > provide/issue to my clients? > > Hope you can understand my issues. > > Thanks, > > - Ariel > > On Fri, Oct 22, 2010 at 6:04 PM, Eduardo Navarro > <eduardo.nava...@live.com>wrote: > >> I think you can make your own CA, if you plan to only test this or want >> to >> have people you know and that know you, setup your root as trusted. >> >> If your purpose is just for using an SSL cert for a website you own, >> then >> you are basically better off just buying one from Verisign, Thawte, >> whoever. >> >> If you plan to start your own SSL issuing service, then this is a >> different >> story, you will need to look at WebTrust compliance as a starting point. >> >> -Eduardo >> >> -----Original Message----- From: Mounir IDRASSI >> Sent: Friday, October 22, 2010 2:26 PM >> To: openssl-users@openssl.org >> Subject: Re: error: unable to get local issuer certificate >> >> >> >> Hi Ariel, >> >> If you want to avoid browsers warning, your only option is to get a >> valid certificate for your users from a commercial CA. You can get them >> for free from StartSSL for example (http://www.startssl.com/). >> >> If you represent an organization, then you can try to qualify for the >> intermediate CA programs offered by commercial CAs. This involves being >> audited and vetted and this comes with some limitations. Of course, the >> price for such a program can be very high depending on your needs. >> I hope this clarifies things for you. >> >> Cheers, >> -- >> Mounir IDRASSI >> IDRIX >> http://www.idrix.fr >> >> On 10/22/2010 7:03 PM, Ariel wrote: >> >>> Hi Dave, thanks for your reply but... >>> >>> On Thu, Oct 21, 2010 at 7:52 PM, Dave Thompson >>> <dthomp...@prinpay.com<mailto: >>> dthomp...@prinpay.com>> wrote: >>> >>> > From: owner-openssl-us...@openssl.org >>> <mailto:owner-openssl-us...@openssl.org> On Behalf Of Ariel >>> > Sent: Thursday, 21 October, 2010 16:34 >>> >>> > On Thu, Oct 21, 2010 at 12:44 AM, sandeep kiran p >>> <sandeepkir...@gmail.com <mailto:sandeepkir...@gmail.com>> wrote: >>> > mydomain.com.crt is an End-Entity certificate and >>> not a CA >>> cert. <snip> >>> >>> > So basically you mean that I can't use "mydomain.com.crt" >>> to sign >>> and issue >>> > new certificates for my clients? I thought I can using the bundle >>> or >>> intermediate >>> > one they provided to me. Sorry for my ignorance but I don't know >>> too much >>> > how does it work and this is annoying to me :S >>> > I only want to generate and issue new certificates that my >>> clients >>> can install >>> > in their browsers and then provide it to me (SSL Client >>> certificate) when >>> they come >>> > to my site. Is this possible without having to create a >>> self-sign CA cert >>> that causes >>> > browsers to not recognize it as a valid CA? Can I provide a >>> trusted >>> chained root >>> > with the certificates I'm trying to issue? >>> >>> > [sandeep?] So you either need to get a CA cert from GoDaddy or >>> setup a >>> test CA >>> > on your own using OpenSSL. GoDaddy, I am sure would not provide >>> you with a >>> CA >>> > certificate as that would then empower you to <snip rest> >>> >>> Do as sandeep said. Create your own private CA with OpenSSL. You >>> issue >>> certs to clients (who request them) and set your server(s) to >>> trust your >>> private root and thus the certs presented by the clients. Your >>> server >>> presents the cert issued to it under a real CA which the clients >>> trust. >>> >>> This means I need to create my own self-signed CA cert, right? And this >>> is >>> what I'm trying to avoid "Because there is no established trust >>> hierarchy >>> leading to a self-signed certificate, it is impossible to verify that a >>> self-signed certificate is genuine." [1] >>> >>> I was reading here [2] because this is what I'm trying to do: SSL >>> Client >>> Authentication; but my problem is in how to setup or get a valid ca.crt >>> that >>> can use to sign and issue new client certificates and that will also >>> validate properly. >>> >>> Is this possible? >>> >>> Thanks for your help, >>> >>> - Ariel >>> >>> >>> [1] >>> http://publib.boulder.ibm.com/infocenter/zos/v1r10/index.jsp?topic=/com.ibm.zos.r10.ikya100/intermed.htm >>> [2] >>> http://www.symantec.com/connect/articles/apache-2-ssltls-step-step-part-3 >>> >>> The only tricky bit is if your clients need to authenticate >>> themselves >>> to some *other* server(s) besides yours. Then they need to be able >>> to >>> select 'key/cert for Ariel' versus other, perhaps public, >>> key/cert(s). >>> Your server should do SSL_[CTX_]set_client_CA_list to your private >>> root; >>> this will send a 'hint' to the client which cert to present -- >>> although >>> it's up to the client to actually obey this hint, it's not >>> required to. >>> >>> Plus of course you need to ensure that the people/machines you issue >>> certs to are in fact the ones you want as clients. Although if you >>> make a mistake, you can issue your own CRL(s) which your server >>> checks. >>> (And if it's convenient to put your CA on the same machine as your >>> server, >>> this greatly simplifies the CRL distribution procedure. <G?>) >>> >>> >>> ______________________________________________________________________ >>> OpenSSL Project http://www.openssl.org >>> User Support Mailing List openssl-users@openssl.org >>> <mailto:openssl-users@openssl.org> >>> Automated List Manager majord...@openssl.org >>> <mailto:majord...@openssl.org> >>> >>> >>> >>> -- >>> Ariel Diaz Bermejo >>> http://www.linkedin.com/in/adiazbermejo >>> >>> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> > > > > -- > Ariel Diaz Bermejo > http://www.linkedin.com/in/adiazbermejo > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
