Am 04.08.2011 08:23, schrieb Tomas Macek:
We have some web servers and I want to create self signed certificates
for them.
What do I want:
- I want to create my own certification authority keys and
certificate, that will be imported to all web browsers of our employees
- I want to create certificates, that will be signed by my own
certification authority (previous step) and include them to the
apache/httpd configuration. I don't want our employees to be warned
that the certificate is not trusted (I cannot buy a REAL trusted
certificate)
Reading FAQ here http://www.modssl.org/docs/2.8/ssl_faq.html#ToC29,
reading CA.pl from openssl-perl and discussions on inet for 2 days
gave me these steps, that I already performed:
1) creating my own CA:
openssl genrsa -des3 -out ca.key 1024
openssl rsa -in ca.key -out ca.key.unsecure
mv ca.key.unsecure ca.key
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
2) creating my own server key and certification request:
openssl genrsa -des3 -out server.key 1024
openssl rsa -in server.key -out server.key.unsecure
mv server.key.unsecure server.key
openssl req -new -key server.key -out server.csr
3) signing the request by my own CA (see step 1):
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAserial
ca.srl
server.crt
4) I have imported the ca.crt into the web browser
5) the server.key and server.crt were included to the apache/httpd
configuration
After these steps the web page looks secured and no warning appears
when I enter the page.
Question:
---------------
Do you see any bad thing about these steps or can you please recommend
me any further step in order to make things properly?
The process looks good to me, though I'm not totally sure about step #3.
I use the "openssl ca ..." command to sign my certificates, it needs a
config file but also keeps an index file and archive structure of issued
certificates which is (IMHO) worth the work.
But, are you sure that you want to keep your CA key unprotected? I'd
advise strongly against this. Issuing server certificates should be
seldom enough to do it manually by entering a password...
One hint: You probably won't be happy with a CA certificate expiring in
one year, since all your created certificates will be considered invalid
once the CA certificates becomes invalid.
So I'm quite sure you'll want to use at least 5 years as the expiry time
for your CA, or even more if distributing the CA certificate is some work.
Hope this helps
Ted
;)
--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
