> From: owner-openssl-us...@openssl.org On Behalf Of Dinh, Thao V CIV NSWCDD, K72 > Sent: Monday, 04 June, 2012 11:08
> Please help me to understand more about "SELF SIGNED CERTIFICATES". > > Do Self-Signed certificates have to signed at all by its own > CA ?? Do we have to generate CSR for each client ?? If they A self-signed cert is one that is signed by its own key, that is, signed by the same key that is certified in the cert, and has Issuer same as Subject (and AKI=SKI if used) to indicate this. > do, What is the best way to create "Self-Signed Cert" ?? Either > > 1. Each client is its own CA > a. // generate keys and CSR > openssl req -newkey rsa:1024 -sha1 -keyout > clientkey.pem -out clientreq.pem > b. // generate cert signed by its own CA > openssl x509 -req -in clientreq.pem -sha1 -signkey > clientkey.pem -out clientcert.pem > That's one way to create a self-signed cert. There are others. Which is "best" depends on what you want to do. > 2. Create one root CA, every client create its own > Certificate signed by root CA > > //create root > a. openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem > -out rootreq.pem > b. openssl x509 -req -in rootreq.pem -sha1 -signkey > rootkey.pem -out rootcert.pem > c. cat rootcert.pem rootkey.pem > root.pem > > // create client certificate , signed by common root > d. openssl req -newkey rsa:1024 -sha1 -keyout > clientkey.pem -out clientreq.pem > f. openssl x509 -req -in clientreq.pem -sha1 -CA > root.pem -CAkey root.pem -signkey -out client.pem > You can't use -signkey with -CA (and -CAkey) in the child level. Since you put both CA key and cert in root.pem, you don't need -CAkey. You must either have created the root.srl file, or use -CAcreateserial . That's not self-signed. That's a CA and a cert issued by that CA. The fact that it's a tiny and very local CA operated by you for yourself doesn't change the fact that it is a CA. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
