Hello All,
I wonder if someone would be so kind as to provide a bit
more detail regarding certificate chains and how it affects
the openssl setup?
For this discussion, let's assume I've created my own CA
self-signed cert, and then created a cert for each of my
virtual servers and signed each with my CA cert. (I'm
assuming I need to create one for each virtual web server
since they must have the FQDN in the subject, right?)
Now, when an outsider connects to my secure server, my server
should present that client with a certificate right? Which
certificate does it present? The server's cert, or the CA's?
Or does it need to present both? I've seen references to
the practice of concatenating the two together and I now
assume this is what might be referred to as a "chain file"?
But I'm not clear on "how" to concat the two or what in
what order? Is it as simple as
"cat x1.pem cacert.pem > chainfile.crt"
And if so, should it be only the ---BEGIN CERT -- to ---END
CERT--- data, not all of the rest of the text, or can it
include the human readable text as well?
Also, what's the difference between the /certs and the /newcerts
directories? Is the /certs where I place the certs that I trust
and the /newcerts only stores the certs I've issued, but don't
need to trust them explicitly (since I trust the issuer)?
Or is the /certs where I place all of my server's certs?
Do I sound confused? I sure feel confused :)
Anyone care to enlighten me? I'd sure appreciate it.
Than you,
Dann
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
