Hi, Marco. What can you say(_Conceptually_) about a way to revoke root CA certificates? They don’t have any CRL distribution points or OCSP responder URLs. But why is it so? For example another company(another CAs) can sign OCSP responder certificate for the root certificate and this will be more secure scheme in comparing with the existing realities.
Probability of that both private keys of both companies will be compromised at the same time is too low. Regards, Vladimir. ---------------------------------------------------------------------------------- From: Marco Molteni Sent: Tuesday, June 05, 2012 1:35 PM To: openssl-users@openssl.org Subject: self-signed certificates vs CA (was: Re: authenticate peer) What is a CA? _Conceptually_ a CA is nothing more than a self-signed certificate you trust as an issuer of other certificates :-) So, a self-signed certificate doesn't need its own CA. Or, it is the same thing. >From a practical point of view, in my opinion the main differences are this: Say you have 100 self-signed certificates. You have to put them out of band, in a secure way, in the N places they will be needed to authenticate the owners of the associated private keys. The day you add the 101st self-signed certificate, you have to put it on the N places, as before. On the other hand, if you have your own root CA, you just have to put once 1 certificate, the certificate of the root CA, in the N places. The day you add the 101st certificate issued by the CA, you don't need to do anything in the N places. If you have a CA, you must guard the private key. A compromise will compromise _all_ your system. If you don't have a CA, you don't have to guard a private key. A compromise will compromise 1 identity. In both cases (CA or not), you probably need a way to revoke certificates. On Jun 4, 2012, at 17:07 , Dinh, Thao V CIV NSWCDD, K72 wrote: > Please help me to understand more about "SELF SIGNED CERTIFICATES". > > Do Self-Signed certificates have to signed at all by its own CA ?? Do we have > to generate CSR for each client ?? If > they do, What is the best way to create "Self-Signed Cert" ?? Either > > 1. Each client is its own CA > a. // generate keys and CSR > openssl req -newkey rsa:1024 -sha1 -keyout clientkey.pem -out > clientreq.pem > b. // generate cert signed by its own CA > openssl x509 -req -in clientreq.pem -sha1 -signkey clientkey.pem -out > clientcert.pem > > > 2. Create one root CA, every client create its own Certificate signed by > root CA > > //create root > a. openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem > b. openssl x509 -req -in rootreq.pem -sha1 -signkey rootkey.pem -out > rootcert.pem > c. cat rootcert.pem rootkey.pem > root.pem > > // create client certificate , signed by common root > d. openssl req -newkey rsa:1024 -sha1 -keyout clientkey.pem -out > clientreq.pem > f. openssl x509 -req -in clientreq.pem -sha1 -CA root.pem -CAkey root.pem > -signkey -out client.pem > > Please help. > > Thao ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
