Rohan Pinto wrote: >I wrote
What you need to do is:
1. create a root certificate 2. install that root certificate into all your web browsers 3. create a CSR on the server 4. use the root to sign that CSR into a server certificate
This is the part that i would need help on. I have created a root certificate, I've imported that into all my web browsers and also on the webserver. I have also crested a cSR from the webserver. I dont know how to sign the CSR .... If I could get some advise on jow to sign a CSR i would at leats get an understanding of the flow. From what i have understood so far... I used the rootCA private key while signing the CSR. The webservers public key is sittign somewhere on the webserver. i would need to use that key to sign the CSR. The question is. how do i get that key?. Also.... I am confused as i believed that the webservers key would be embedded in the CSR.
You are doing fine until you get to "signing the CSR with the webserver's public key which is sitting somewhere on the webserver."
Important theoretical points
1. The CSR "IS" the webserver's public key, plus some ID info
2. The CSR is made INTO the Certificate by signing with the root's private key (not any server key nor any public key)
3. The webserver's PRIVATE key is the one sitting somewhere on the webserver
4. The Certificate IS the webserver's public key (as obtained from the CSR) and is SIGNED using the root's private key. Why? So the root's public key, which EVERYBODY has access to, can be used to VERIFY that the certificate has not been forged.
So, take the CSR from the webserver machine to the machine where you are running OpenSSL. Sign the CSR into a certificate using the private key from the root certificate. This can be done with either the "ca" tool (or something like CA.PL which calls it) or with the "x509" tool. Take the certificate back and install it into the webserver. The way to do this varies from webserver to webserver but go to
http://www.ssl.com/support/installation.jsp
and look at the menu over on the right hand side. Find your webserver software and see if they have good installation documentation. This is a VERY well done web site.
5. install the server certificate on the server
> openssl that resides on (xyz.com)Wish i could get some pointers on the the steps to sign a CSR thats generated from a webserver (which resides on abcd.com domain) using
on xyz.com:
ftp abcd.com
get server.csr.pem
quit
openssl x509 -req -in server.csr.pem \
-CA root.cert.pem -CAkey root.key.pem <more options> \
-out server.cert.pem
ftp abcd.com
put server.cert.pemUnder <more options> there is -CAserial to set a serial number, maybe -sha1 to use SHA instead of MD5 as a hash, -days to set the certificate lifetime, etc. Some of these things can be set in the OpenSSL configuration file. I'd look at "man x509".
Alternatively, signing can be done with the "ca" tool, but I'm not so familiar with it. It requires an infrastructure of a data file and a serial number file and directories of various things etc and since I based our database on Oracle it seemed too high-level and high-maintenance to use. Unfortunately it seems I need to use it for my personal identity and privacy PKIs since "x509" doesn't seem to know how to process a SPKIX file.
Sorry about my somewhat fuzzy (and in some places WRONG) answer before. I should REALLY learn not to type anything in before noon.
-- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
