Hi Dave, thanks for your reply but... On Thu, Oct 21, 2010 at 7:52 PM, Dave Thompson <dthomp...@prinpay.com>wrote:
> > From: owner-openssl-us...@openssl.org On Behalf Of Ariel > > Sent: Thursday, 21 October, 2010 16:34 > > > On Thu, Oct 21, 2010 at 12:44 AM, sandeep kiran p > <sandeepkir...@gmail.com> wrote: > > mydomain.com.crt is an End-Entity certificate and not a CA > cert. <snip> > > > So basically you mean that I can't use "mydomain.com.crt" to sign > and issue > > new certificates for my clients? I thought I can using the bundle or > intermediate > > one they provided to me. Sorry for my ignorance but I don't know too much > > how does it work and this is annoying to me :S > > I only want to generate and issue new certificates that my clients > can install > > in their browsers and then provide it to me (SSL Client certificate) when > they come > > to my site. Is this possible without having to create a self-sign CA cert > that causes > > browsers to not recognize it as a valid CA? Can I provide a trusted > chained root > > with the certificates I'm trying to issue? > > > [sandeep?] So you either need to get a CA cert from GoDaddy or setup a > test CA > > on your own using OpenSSL. GoDaddy, I am sure would not provide you with > a > CA > > certificate as that would then empower you to <snip rest> > > Do as sandeep said. Create your own private CA with OpenSSL. You issue > certs to clients (who request them) and set your server(s) to trust your > private root and thus the certs presented by the clients. Your server > presents the cert issued to it under a real CA which the clients trust. > > This means I need to create my own self-signed CA cert, right? And this is what I'm trying to avoid "Because there is no established trust hierarchy leading to a self-signed certificate, it is impossible to verify that a self-signed certificate is genuine." [1] I was reading here [2] because this is what I'm trying to do: SSL Client Authentication; but my problem is in how to setup or get a valid ca.crt that can use to sign and issue new client certificates and that will also validate properly. Is this possible? Thanks for your help, - Ariel [1] http://publib.boulder.ibm.com/infocenter/zos/v1r10/index.jsp?topic=/com.ibm.zos.r10.ikya100/intermed.htm [2] http://www.symantec.com/connect/articles/apache-2-ssltls-step-step-part-3 > The only tricky bit is if your clients need to authenticate themselves > to some *other* server(s) besides yours. Then they need to be able to > select 'key/cert for Ariel' versus other, perhaps public, key/cert(s). > Your server should do SSL_[CTX_]set_client_CA_list to your private root; > this will send a 'hint' to the client which cert to present -- although > it's up to the client to actually obey this hint, it's not required to. > > Plus of course you need to ensure that the people/machines you issue > certs to are in fact the ones you want as clients. Although if you > make a mistake, you can issue your own CRL(s) which your server checks. > (And if it's convenient to put your CA on the same machine as your server, > this greatly simplifies the CRL distribution procedure. <G?>) > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > -- Ariel Diaz Bermejo http://www.linkedin.com/in/adiazbermejo
