I'm still unsure about the CA cert?
What does this do, how does it fit in?
Is this the SAME as a signed certificate which the web server uses? (I
don't think so)
Which certificate is the one browsers need to install? (ie: the one we need
to generate for them)
I'm fine with:
- generating a secret key file
- generating a CSR
- generating a singed CSR (with will be used by the web server)
but not so clear with the browser side when the server is configured to ask
for a client certificate.
Thanks
BTW MATT : Your web link would be much appreciated to clear the concepts
for neophytes.
At 04:03 PM 08/11/99 -0700, you wrote:
>Hi:
>
>Eventually, I'm going to create a website that explains the basics
>(since that's all I know so far) of making a root cert from the command
>line.
>
>Here's how I do it.
>
>1) generate a 1024 bit private key, have the output go to privkey.pem,
>encrypted with triple DES
>
>openssl genrsa -des3 -out privkey.pem 1024
><you will be prompted for a passphrase for the 3des encryption>
>
>
>1.5) OPTIONAL - take a look at the key you just made
>
>openssl rsa -in privkey.pem -text
><passphrase again>
>
>
>2) Create a certificate request that includes your public key, and is
>signed with your private key.
> openssl.cnf will have to exist somewhere for this to function - if you
>don't know what that aught to look like, you'll have to wait for me
> to finish my website (start it, actually)- or search the sparse docs -
>the sample one that shops with OpenSSL is OK
>
>openssl req -new -key privkey.pem -out mycert-req.pem
><passphrase, yet again, plus lots of personal information>
>
>
>I think you can combine steps 1 and 2 by using openssl req -newkey
>rsa:1024, but
>a) I'm not sure if it encrypts the key
>b) I've never done it that way, and I only want to suggest what I know
>
>
>2.5) OPTIONAL - take a look at your cert request
>openssl req -in mycert-req.pem -text
>
>
>3) Use the cert request and the private key to generate a self-signed
>cert
>openssl x509 -req -in mycert-req.pem -out mycert.pem -signkey
>privkey.pem -CAcreateserial
>
>This bears a little explanation:
>x509 : the subcommand of openssl that deals with x.509 certificate
>objects
>-req : tells openssl that the input file is a certificate request
>-in : the cert-request file
>-out : where to put the output (a certificate)
>-signkey : this tells openssl two things (at least, there may be more)
> a) which key to sign the cert with
> b) that this is the creation of the CA cert, so don't ask where the
>CA cert is - this is important, because an x.509
> object needs issuer information normally contained in the CA
>cert, but this flag indicates that this info will have
> to come from the user
>-CAcreateserial : every cert needs a serial number, and this flag says
>"there ain't one; make it up"
>
><passphrase still again, plus personal info that will become issuer
>information for your root cert>
>
>
>4) Take a peek at your new cert
>
>openssl x509 -in mycert.pem -text
>
>
>That should do it.
>
>
>I'm pretty sure there are ways to combine some/all of these steps, but I
>haven't done it any other way.
>As I'm a novice with OpenSSL myself, corrections from those who know
>better will be welcome.
>
>Best of luck
>
>-Mike
>
>
>
>Matt Isleb wrote:
> >
> > Hi,
> >
> > I am setting up an Aventail VPN server and it uses SSL for
> > encryption. But to get SSL to work I need a signed certificate as well
> > as the root cert. It seems that the openssl command is poorly
> > documented. I found information on the apache-ssl web site on creating
> > signed cert using ssleay. Here is what I have done so far:
> >
> > openssl req -new > new.cert.csr
> > openssl rsa -in privkey.pem -out new.cert.key
> > openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey
> new.cert.key -days 365
> >
> > What I need now is the root cert. Like what verisign would give you to put
> > in your browser when they sign a test cert.
> >
> > I imagine that it is some incarnation of 'openssl ca' but for the life
> > of me I can't figure it out.
> >
> > Matt Isleb
> > UNIX Support Guy
> > onShore, Inc.
> >
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager [EMAIL PROTECTED]
>______________________________________________________________________
>OpenSSL Project http://www.openssl.org
>User Support Mailing List [EMAIL PROTECTED]
>Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
