Re: being my own ca

[Eduardo Navarro]

You need to have your Root CA certificate (the one used to issue the 
intermmediate CAs and the HTTP cert) to be added to the Trusted Root 
Certificates store. Firefox manages this separately, same as Apple. Apple 
needs to add the CA to the Keychain as a trusted root. Firefox, you need to 
add it to the Security Settings (don’t remember exact name of menu/tab)

-Eduardo
-----Original Message----- 
From: Craig White
Sent: Wednesday, August 24, 2011 4:54 PM
To: openssl-users@openssl.org
Subject: being my own ca

I've been at this for too many hours and too many web pages and I'm so 
close... I think I could use a little help over the final obstacle.

I'm trying to be my own CA and what I want to accomplish is to be able to 
sign web server certificates that are automatically accepted by our LAN 
users if they have the CA certificate installed.

My CA certificate verifies fine...
root@ubuntu:/etc/ssl# openssl verify cacert.pem
cacert.pem: OK

My host web server certificate (generated with the key removed) verifies 
fine...
root@ubuntu:/etc/ssl# openssl verify ubuntu/http.pem
ubuntu/http.pem: OK

I signed all the certificates that I generated with the CA key file that was 
used for the CA certificate.

and If I load either the DER or the PEM version of my self-signed CA into 
Firefox or Apple's Keychain access, I would expect that it should just be 
accepted (but it's not). Of course users can choose to 'accept' but I'm 
looking to get past that.

If someone can help me get over the hurdle, I would appreciate it.

The code I use to generate the web cert is...

openssl req -new -nodes \
   -out $CERTPATH/http.csr \
   -keyout $CERTPATH/http.key \
   -days 3650 \
   -config $CONFIG

openssl ca \
   -config $CONFIG \
   -policy policy_anything \
   -out $CERTPATH/http.pem \
   -infiles $CERTPATH/http.csr

TIA

--
Craig White ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  craig.wh...@ttiltd.com
1.800.869.6908 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ www.ttiassessments.com

Need help communicating between generations at work to achieve your desired 
success? Let us help!

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org 

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org