Also a newbie to ssl, but with the help of this list got it working a few weeks ago.
This document was very helpful for me when installing on solaris, even though it is for RH, and you are using debian http://www.linux-sxs.org/internet_serving/apache2.html Also, for Common Name, using the IP address of the box worked for me. -----Original Message----- From: max <[EMAIL PROTECTED]> Sent: Aug 30, 2005 6:09 AM To: openssl-users@openssl.org Subject: Autosigned Certificates : Need explanation Hello all, I'm a newbie in ssl and certificates and I need some explanation about (I've already red manuals and howtos but still too dark for me) : On debian, * To generate a self-signed certificate, I use these commands : /usr/lib/ssl/misc/CA.sh -newca openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem /usr/lib/ssl/misc/CA.sh -sign Files resulting of these operations are demoCA/cacert.pem demoCA/private/cakey.pem, newreq.pem, newcert.pem Questions : These commands are they sufficient and good ? To generate other certificates on the same host, should I execute again (and use the demoCA): openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem /usr/lib/ssl/misc/CA.sh -sign in the same directory ? Self signed certificates, even if they are not signed by an official CA, provide a good security level for TLS communications ? Can I obtain official and free certificates ? To finish, the recurrent issue (sorry), but in a real case : I've got to servers with mail servers and openldap (both in a lan but not in the same site) and I want to replicate openldap db using TLS. machine 1 name : server1.domain.com machine 2 name: server2 (no domain name) theses machines have no entry in dns (like ldap.domain.com). During CA creation, what Common Name should I provide on each host ? During selfsigned certificates creation, what Common Name should I provide on each host ? Should I use the same CA for both certificates ? If someone could answer simply and clearly, it could be helpful. Thx. Max ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
