On Tue, Jul 7, 2009 at 2:38 AM, ad...@gg-lab.net<ad...@gg-lab.net> wrote:
> Hi All,
>
> i have, hope, a very simple question (but no reply found on Google):
>
> using CA.pl i created a sefls signed certificate. And this is ok.
>
> Reading manpage of CA.pl i noticed that i can also create a Local CA.
>
> So, what's the difference between a simple self signed certificate and
> a certificate created with my own CA?
A self-signed certificate is basically its own authenticator. It's
useful for only as long as it's good for, and there's no continuity of
administration. It's also not useful for identifying anything (except
as "something that uses its own key to be signed"). If I were to
create a self-signed certificate purporting to be from Bank of
America, how would you know that it was legitimate? How would you
know it was illegitimate?
Having a local CA means that when one certificate expires or otherwise
becomes unuseful ("I lost the private key to this certificate"), you
can simply issue another certificate... and clients that are set up to
accept your CA will automatically accept it without having to go
through the warning/exception process again.
> And, how can i create (with CA.pl if possibile) certificates for
> multiple domains? I've used as Common Name *.mydomain.tld, but it i
> reach mydomain.tld, i get an error.
You're looking for something called the subjectAltName extension. For
information on how to set it, look at the manpage for
x509v3_config(5).
You'd want a line with:
subjectAltName=DNS:*.mydomain.tld,DNS:mydomain.tld
I'm not sure why this (most common) usage of subjectAltName isn't
given as an example in that manpage.
-Kyle H
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
