I thought I should be specific about cert creation because I've seen big corporations issueing pure CA certs for all, and they actually never create a client cert. And no matter how many approaches one take to explain that such thing is not right, they keep issueing CA'sCerts for all purposes, (i.e. every employee owns a CAcert for him/herself!!) Issueing a CAcert is certainly easy and quick but that's a things a corporation should do once every due date (every 5 or 10 years).
So the right procedure is One CAcert and it's key. What follows is either client certs that are non CA's (you can not sign certificate requests with them) , or other subCA certs (meaning they can be used to sign certificate requests). The client's cert creation implies a CERTIFICATE SIGNING REQUEST (CSR), for one simple logic reason. The people asking for certs are responsible for their key pair!!!, so it would be kind of silly that the CA issues keys and certs. In many cases a corporation having a CA inside and clients inside handles all, but it's not correct. John Smith has to create his own key pair and a CSR. Then send the CSR to the CA authority for signing the request and issuing the John Smith's client Cert. How John Smith is given a software to make his key pair in the privacy of his home is an interesting topic. For your specific case, you might possibly give the chance to every user to get his/her key pair, an html for fill out the CSR and automatically receive his/her keypair and cert, but also, the Apache would be ready with such client updated in the configuration file of the virtual host. If you look at the text form of the cert, you will find that the root cert has "issuer" and "client" to be the same, while subCA's and any client's cert shows an issuer (the one signing your cert) and subject (John Smith or financialCA). -- View this message in context: http://www.nabble.com/Multiple-CAs-tp24590138p24593404.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
