I've been at this for too many hours and too many web pages and I'm so close...
I think I could use a little help over the final obstacle.
I'm trying to be my own CA and what I want to accomplish is to be able to sign
web server certificates that are automatically accepted by our LAN users if
they have the CA certificate installed.
My CA certificate verifies fine...
root@ubuntu:/etc/ssl# openssl verify cacert.pem
cacert.pem: OK
My host web server certificate (generated with the key removed) verifies fine...
root@ubuntu:/etc/ssl# openssl verify ubuntu/http.pem
ubuntu/http.pem: OK
I signed all the certificates that I generated with the CA key file that was
used for the CA certificate.
and If I load either the DER or the PEM version of my self-signed CA into
Firefox or Apple's Keychain access, I would expect that it should just be
accepted (but it's not). Of course users can choose to 'accept' but I'm looking
to get past that.
If someone can help me get over the hurdle, I would appreciate it.
The code I use to generate the web cert is...
openssl req -new -nodes \
-out $CERTPATH/http.csr \
-keyout $CERTPATH/http.key \
-days 3650 \
-config $CONFIG
openssl ca \
-config $CONFIG \
-policy policy_anything \
-out $CERTPATH/http.pem \
-infiles $CERTPATH/http.csr
TIA
--
Craig White ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [email protected]
1.800.869.6908 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ www.ttiassessments.com
Need help communicating between generations at work to achieve your desired
success? Let us help!
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]