Hi all,
this is what I did:
# openssl genrsa -des3 -out ca.key
# openssl req -key ca.key -nodes -new -out ca.req
# openssl x509 -days 1000 -in ca.req -req -signkey ca.key -out ca.pem
moved ca.pem to demoCA/cacert.pem and ca.key to demoCA/private/cakey.pem
Then:
# openssl ca -cert demoCA/cacert.pem -ss_cert demoCA/cacert.pem -out ca.pem
Using configuration from /usr/local/ssl/openssl.cnf
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'DE'
stateOrProvinceName :PRINTABLE:'Hamburg'
localityName :PRINTABLE:'Hamburg'
organizationName :PRINTABLE:'zaplinski.de certificate services'
commonName :PRINTABLE:'zaplinski.de root CA'
emailAddress :IA5STRING:'[EMAIL PROTECTED]'
Certificate is to be certified until Aug 27 21:18:49 2002 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# mv ca.pem demoCA/cacert.pem
So I now have my self signed CA.
But how can I import that in IE and NS? I could not find any information on
the web. 'openssl pkcs7 -i demoCA/cacert.pem -outform DER -out ca.p7b' did
not work, and AFAIK MS IE5 only eats pkcs7 files. But, even if I show it
pkcs7, it continues to say the file format isn't recognized.
I even had an own little CA and a CA signed cert for SSL'ed POP3 and SMTP,
but after importing that cert to Netscape it did not know anything about my
CA. MS IE5 refused to import that. So I deleted everything and started all
over.
Is there any HOWTO/FAQ how to
- build an own CA
- import that CA into Netscape/IE
- build a server cert signed by that CA *not* to be used by apache but
mailer apps
- also import that into Netscape/IE?
I could not find any information on the web.
Any hints welcome!
Olaf
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
