Re: [openssl-users] Creating a Certificate with CA=TRUE

Sat, 20 Dec 2014 02:14:42 -0800 

Okay thanks a lot for the quick replies! 
I hope i got that right : it is sufficiently secure and unproblematic to create 
a CA and use this CA (lets call it root-crt) certificate on my webserver and 
smartphone and wherever it is needes. In short: you can use the cacert.pem 
which is produced by ../CA.pl -newca. 
And the /private/cakey.pem should  be stored in a secret place on a external 
device which is offline (sd card usb etc. in my cellar). 

Is this right?

Thanks for support! 

Am 19. Dezember 2014 21:43:08 MEZ, schrieb Jeffrey Walton <noloa...@gmail.com>:
>On Fri, Dec 19, 2014 at 7:13 AM, Benjamin <benjami...@gmx.at> wrote:
>> Hello everyone!
>> I am quite new to two things: this mailing list and making and
>working with
>> certificates
>>
>> I want to run a small owncloud on my raspberry pi and tried to make a
>crt
>> which I can also use with my mobile devices. Here is the problem:
>> When i make a certificate either with this instruction:
>> http://wiki.ubuntuusers.de/CA
>> or this one:
>>
>https://www.prshanmu.com/2009/03/generating-ssl-certificates-with-x509v3-extensions.html
>>
>> i have the problem that the cacert has "basicconstriants CA=TRUE" but
>when i
>> make a cert by request i got a new cert (as far as i knew, that which
>i
>> should use for my nginx webserver) which has CA=FALSE. This is no
>problem
>> normally but my Android phone only accepts Certs with CA=TRUE and
>actually i
>> don´t know how to make such a certificate…Of course, i could use the
>cacert
>> itself but isn´t this insecure and inadequate?
>
>You can't install self signed certificates (CA=FALSE). You can install
>client certificates and CA certificates. See
>https://support.google.com/nexus/answer/2844832?hl=en.
>
>What you should do is create a CA, sign the web server's certificate
>with your CA, and then install the CA on your Android device.
>
>The problem (of the Internet of Things and self-signed certifcates
>intersecting with Browsers) was recently brought up on the Web App Sec
>mailing list (see
>http://lists.w3.org/Archives/Public/public-webappsec/2014Dec/0203.html).
>There's nothing available at the moment - the Browsers only support
>the CA Zoo security model.
>
>Jeff
>_______________________________________________
>openssl-users mailing list
>openssl-users@openssl.org
>https://mta.opensslfoundation.net/mailman/listinfo/openssl-users

-- 
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
_______________________________________________
openssl-users mailing list
openssl-users@openssl.org
https://mta.opensslfoundation.net/mailman/listinfo/openssl-users

Reply via email to