Steve,
Could you please let me know the exact openssl commands for generating the CA cert
and Client certs, both without compromising the private keys.
As u told, CAs private key is sent to everyone in the following method. But I couldnt find
how to stop this.
And also, I want to generate the client certificates using just the CSR and also dont want
to store anything else in the ldap entries except the certificate alone. I would like
to know the openssl command steps for this also.
All I did was follow some openssl cookbook found somewhere in the net. Couldnt find
any specialist procedure (inc. step by step commands) for generating CA and client certs.
Waiting for guidance.
Sarath
> Hi everybody,
> I trying to do client authentication using self signed CA and client certificates. I want to store the client
> certificate in the ldap entries. The CA certificate is in the web server. I followed the below mentioned steps
> to create the CA and client certificates :
>
> CA Certificate
> # generate the key for the certificate and store it in .key file
> openssl genrsa -des3 -out $CA_DIR/CA.key 1024
>
> # sign the request for the CA cert and store it in .csr file
> openssl req -new -x509 -days 365 -config $SSLDIR/openssl.cnf -key $CA_DIR/CA.key -out $CA_DIR/CA.crt
> # convert the cert into pkcs12 format so that it can imported into IE
> openssl pkcs12 -export -in $CA_DIR/CA.crt -inkey $CA_DIR/CA.key -out $CA_DIR/CA.pfx
>
DO NOT DO THIS!! This gives away your CAs private key to everyone using
it and renders it useless.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Gemplus: http://www.gemplus.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
