Re: Self-signed root certificate

Fri, 15 Sep 2000 07:19:43 -0700 


There is a typo in my original message.  #3 is really
3. openssl req -new -x509 -key demokey.pem -out democert.pem

On Thu, Sep 14, 2000 at 09:10:59PM -0700, Gary Taylor wrote:
> Hello,
> 
> On a server that I support there are three SSL certificate related files.  One
> of them I'm trying to understand the need for and how it relates to self
> signed CA's that I generate for testing using Openssl.
> 
> The three files have explanations for them in the documentation as follows:
> ca.pem - the self signed root certificate
> democert.pem - a certificate signed with the public key in ca.pem.
> demokey.pem - the private key that matches the public key in democert.pem
> 
> When I create a self signed cert using the following it doesn't work. Meaning I
> can't even get the web server to start listening on the port I have assigned to
> SSL.  I rename the original files and drop in these two new files.    
> 
> 1. head -25 * > rand.dat
>  
> 2. openssl genrsa -rand rand.dat > demokey.pem
> 
> 3. openssl req -new -x509 -key key.pem -out democert.pem
> 
> 
> 
> So I'm trying to figure what I need this root (ca.pem) certificate for? I know
> what the democert.pem and demokey.pem are for.  When I use the server supplied
> cert I get a pop up in the browser telling me that this is a demo cert and do I
> want to trust it.  I thought that the root cert was the last one in the chain
> that would be verified by my browser.  I'm trying to determine if the reason my
> self-signed certs aren't working is because I'm missing something like this
> ca.pem.  Yet I don't understand the need for it.
> 
> 
> Next question.
> 
> I have a customer attempting to use 4096 bit keys with our product.  I suspect
> our product is broken because the customer seems to know what he's doing and I
> don't.  Hence the question above.  But I'd like to be to test the browswer
> using that large of a key size but don't know where to go.  Any suggestions?
> 
> Thanks,
> Gary
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to