Planning to set up your own CA?
On 07/13/2014 08:43 PM, Alan Altmark wrote:
> I (think I) know that openSSL provides two ways to manage certificates:
> 1. A single PEM file that has all of your CA certificates in it. I say
> "single" as a matter of practice.
It's actually a single file with multiple PEM instances.
PEM is just base 64 encoding of DER (specific variant of BER) with the
"-----" markers.
The markers allow you to be clear (in plain text) if something is a key,
a cert, a request, or whatever. Otherwise you'd have to divine from the
ASN.1 structure what exactly you've got. (The alphabet soup explained in
a separate note.)
Velocity uses the same format for our "CA Bundle". There's a good
example here ...
https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt
Browsers and other clients use such a bundle as the store of root
certificates to validate servers.
The server uses such a bundle to validate clients. (smart cards, stuff
like that)
The validation logic is the same, and a root (or intermediate) can issue
a "client" or "server" cert.
> 2. A single directory that contains all of the certificates stored in
> separate PEM files. You use the c_rehash utility each time you add or
> delete a certificate to/from the directory.
Right. And if you concatenated them you'd get the aforementioned single
file.
> And if you're using a private certificate, then you probably have a
> separate PEM file that contains it and the certificate chain, and the
> cert's associated private key.
Sure. Just be really really really careful where that private key hides.
I've seen a certificate in the same file with its private key. (Two PEM
stanzas; one file.) But I've not yet encountered a cert chain (multiple
cert PEM stanzas) in the same file with a private key.
Note: chaining can often be done dynamically. It's common for a
certificate to contain a URL where the issuer's certificate can be
downloaded.
> I'm curious as to which way most people do it, and why.
Academically, it doesn't matter. Either way, the individual certificates
need to be separated for processing.
Velocity's zSSL uses both methods. We use a bundle for all pre-loaded
certificates. (For validating clients, should you need that function.)
Intermediate and client certificates are stored as individual files. In
my experience, the single file is easier for a massive root store.
Separate files make more sense when automating.
--
Rick Troth
Senior Software Developer
Velocity Software Inc.
Mountain View, CA 94041
Main: (877) 964-8867
Direct: (614) 594-9768
ri...@velocitysoftware.com <mailto:ri...@velocitysoftware.com>
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For more information on Linux on System z, visit
http://wiki.linuxvm.org/
