What is a CA? _Conceptually_ a CA is nothing more than a self-signed certificate you trust as an issuer of other certificates :-)
So, a self-signed certificate doesn't need its own CA. Or, it is the same thing. From a practical point of view, in my opinion the main differences are this: Say you have 100 self-signed certificates. You have to put them out of band, in a secure way, in the N places they will be needed to authenticate the owners of the associated private keys. The day you add the 101st self-signed certificate, you have to put it on the N places, as before. On the other hand, if you have your own root CA, you just have to put once 1 certificate, the certificate of the root CA, in the N places. The day you add the 101st certificate issued by the CA, you don't need to do anything in the N places. If you have a CA, you must guard the private key. A compromise will compromise _all_ your system. If you don't have a CA, you don't have to guard a private key. A compromise will compromise 1 identity. In both cases (CA or not), you probably need a way to revoke certificates. On Jun 4, 2012, at 17:07 , Dinh, Thao V CIV NSWCDD, K72 wrote: > Please help me to understand more about "SELF SIGNED CERTIFICATES". > > Do Self-Signed certificates have to signed at all by its own CA ?? Do we have > to generate CSR for each client ?? If they do, What is the best way to > create "Self-Signed Cert" ?? Either > > 1. Each client is its own CA > a. // generate keys and CSR > openssl req -newkey rsa:1024 -sha1 -keyout clientkey.pem -out > clientreq.pem > b. // generate cert signed by its own CA > openssl x509 -req -in clientreq.pem -sha1 -signkey clientkey.pem -out > clientcert.pem > > > 2. Create one root CA, every client create its own Certificate signed by > root CA > > //create root > a. openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem > b. openssl x509 -req -in rootreq.pem -sha1 -signkey rootkey.pem -out > rootcert.pem > c. cat rootcert.pem rootkey.pem > root.pem > > // create client certificate , signed by common root > d. openssl req -newkey rsa:1024 -sha1 -keyout clientkey.pem -out > clientreq.pem > f. openssl x509 -req -in clientreq.pem -sha1 -CA root.pem -CAkey root.pem > -signkey -out client.pem > > Please help. > > Thao ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
