Planning to set up your own CA?
On 07/13/2014 08:43 PM, Alan Altmark wrote: > I (think I) know that openSSL provides two ways to manage certificates: > 1. A single PEM file that has all of your CA certificates in it. I say > "single" as a matter of practice. It's actually a single file with multiple PEM instances. PEM is just base 64 encoding of DER (specific variant of BER) with the "-----" markers. The markers allow you to be clear (in plain text) if something is a key, a cert, a request, or whatever. Otherwise you'd have to divine from the ASN.1 structure what exactly you've got. (The alphabet soup explained in a separate note.) Velocity uses the same format for our "CA Bundle". There's a good example here ... https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt Browsers and other clients use such a bundle as the store of root certificates to validate servers. The server uses such a bundle to validate clients. (smart cards, stuff like that) The validation logic is the same, and a root (or intermediate) can issue a "client" or "server" cert. > 2. A single directory that contains all of the certificates stored in > separate PEM files. You use the c_rehash utility each time you add or > delete a certificate to/from the directory. Right. And if you concatenated them you'd get the aforementioned single file. > And if you're using a private certificate, then you probably have a > separate PEM file that contains it and the certificate chain, and the > cert's associated private key. Sure. Just be really really really careful where that private key hides. I've seen a certificate in the same file with its private key. (Two PEM stanzas; one file.) But I've not yet encountered a cert chain (multiple cert PEM stanzas) in the same file with a private key. Note: chaining can often be done dynamically. It's common for a certificate to contain a URL where the issuer's certificate can be downloaded. > I'm curious as to which way most people do it, and why. Academically, it doesn't matter. Either way, the individual certificates need to be separated for processing. Velocity's zSSL uses both methods. We use a bundle for all pre-loaded certificates. (For validating clients, should you need that function.) Intermediate and client certificates are stored as individual files. In my experience, the single file is easier for a massive root store. Separate files make more sense when automating. -- Rick Troth Senior Software Developer Velocity Software Inc. Mountain View, CA 94041 Main: (877) 964-8867 Direct: (614) 594-9768 ri...@velocitysoftware.com <mailto:ri...@velocitysoftware.com> ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/