> -----Original Message----- > From: Harold Tyler [mailto:[EMAIL PROTECTED]] > Sent: Monday, August 19, 2002 3:47 PM > > I saw your email at http://www.openssl.org/ and I have a > question I thought > you might be able to answer.
Not sure if the mail is addressed to me but will try to answer anyway. > > I was wondering, if I bought a cert from VeriSign or Thawte, > is there a way > to generate chained certs from the original cert to be place on many > different servers? Usually the certificate that you get from VeriSign or Thawte doesn't specify that you can sign other certificates. This is done by setting certain extension bits. However, recently someone demostrated that one could indeed sign other certificates using a "normal server certificate" and IE will not care. However, this seems to be a bug. > > We have a product that uses SSL to quarantee a secure > connection to the HTML > based configurator on each box. And we plan to sell many boxes. > > I saw two options: > > 1) Buy a cert for each box > 2) Create a chain off our original cert and place a generated > cert on each > box To be able to create certificates, you need to know the domain name of the box. I am sure, most of your customers would like this to be configurable. SO, in principle, you cannot generate and install certs for your customers. However, if you want to forgo authentication provided by SSL ( use it only for data privacy and integrity ) then you can generate certs for each of the boxes with some dummy server name. In this case, you can be your own CA and you don't even need a cert from Thawte or Verisign. OpenSSL will allow you to be your own CA. However, users of your box will always be prompted to accept the cert as the signing CA's cert will not be in the user's browser truststore. The browser will prompt the user to prompt the signing cert and some might accept that but most will walk away. You could have this dummy cert as the default SSL mode for better out-of-box functionality and ask your customer to purchase/create a server cert if they want their site to be SSL authenticated. Pankaj Kumar http://www.pankaj-k.net > > Any advice? Thank-you! > > - Harold Tyler > > Software Engineer > EmergeCore Networks LLC > 801-495-6082 > [EMAIL PROTECTED] > > "I am sick and tired of women dating me just to further their > careers ... > damn anthropologists!" - Emo > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
