Bert: As indicated in other parts of the thread, this is a good application of openssl and the SSL-Howto is a good starting point.
I'd like to extend the question however. I've done something similar for my enterprise and have managed to get the root certificate installed when we set up a machine for distribution, so that problem is solved. However, I am concerned about the number of certificates that the "ROOT" is signing. Or more correctly stated, I am concerned about the bottleneck that keeping the passphrase of the ROOT key inside a small group (me and my partner only). So, it occurs to me that the ROOT should make a number of intermediate CA's who have relatively short lifespans, and I can distribute those passphrases to a wider audience. So, I started playing with that. I CAN create an intermediate CA certificate (I'm pretty sure) by adding the following lines in the config that creates the csr. x509_extensions = v3_ca req_extensions = v3_req [ v3_ca ] basicConstraints = critical,CA:true subjectKeyIdentifier = hash [ v3_req ] nsCertType = objsign,email,server I then sign this with the ROOT certificate and all seems well. I then create a server certificate and sign it with the intermediate CA's certificate. All this seems to work OK. However when I load this server certificate into Apache, and attempt to connect to the web site, I get (from I.E.) "The security certificate was issued by a company you have not chosen to trust." Now remember, the ROOT certificate IS in the trusted store. However when I view the certificate, the "Certificate Path" is empty. If I then load the Intermediate CA's certificate into the trusted store, then the certificate is accepted and the certification path shows the complete line from the server cert to the intermediate ca cert to the ROOT. Now, my understanding of all this is that if the ROOT is in the trusted store, the browser should follow the certification path to the ROOT and call it good. I can also understand that the browser doesn't know how to get the Intermediate CA's certificate. That is (I think) the problem. However, I am also under the impression that the server cert can be packaged such that it sends the entire trust chain as part of it's own cert. So, here are the questions (finally)! 1) Is my understanding correct in that I can package the entire trust chain as part of the server cert. If so, how? 2) If not, then how does the browser get the intermediate CA certificate without having to explicitly load it into the browser. 3) Is my understanding completely off base, and this is not possible. Thanks for the help. Kevin On Mon, Feb 04, 2002 at 12:58:53PM -0500, bjw wrote: > Hi again, > > I have a second question... > > Can I host my own CA. Say on a Linux box (I think I can do it on NT, but I'd > rather not!) > > What are the draw backs to being my own CA (if it can be done) I am not > currently providing e-commerce but I would like to have my web based data > encrypted, but don't wish to shell out $250 (at this time) for a verisign > approved CA. > > Thanks again for any (and all) responses!!! > > Bert Woods > [EMAIL PROTECTED] > www.efotoboths.com www.fantasyent.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
