So now I am a little confused about using openssl command line utility as CA to give out certificates. What could be the reasons for using anything other than openssl as CA? Are there security issues? Are people using openssl as their private CA? are any particular problems reported regarding the use of openssl as private CA on large scale?
Well openssl is really just a toolkit that can perform some functions of a ca. And if you want an open source toolkit, it's really the only option. I can't think of any features that openssl is missing that you would need for a ca, and there aren't any openssl particular security issues, every application has security flaws now and then. We use an openssl based ca for our payment gateway. We issue them to clients, and require client certificates (in addition to the normal username/password that uses kerberos) for all access to our web interfaces that provide access to cardholder data. We were actually the first gateway to do this, starting almost 4 years ago. It also comes in handy for sending confidential information to our clients via email. Every client already has a certificate installed, so encrypting email messages to them is trivial. Much easier then trying to train them to use something like pgp. I would say for the most part private CA are used in intranets, although that is changing slowly. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
