On 4 Jun 2002, Shalendra Chhabra wrote: > 1. I am able to generate Certificate and Private Key > using command line options in Openssl. > can someone tell me are they considered good? and if they are good > why do we need Certificates from companies like > Microsoft, Verisign???????????
Considered good by whom, and what does "good" mean? Certificates produced using OpenSSL ought to be just as good in the mathematical sense as anyone else's. What those certificates *mean* depends on just how hard the issuer works to prove that the entity requesting the certificate is providing a valid identity to be bound to the requested certificate. Certificates from recognized commercial CAs have considerable value because we believe that those CAs do a reasonable job of verifying identity. Certificates issued by the experimental OpenSSL-based CA I have on my office workstation have no particular value, and in fact my CPS says so. Certificates issued by random CAs set up with Microsoft's cert. management tools have value in proportion to the trust you place in the person running the CA and the security of the CA host machine. Commercial certificates for e.g. web servers have other value as well, in that most Web browsers will already be set up to trust those CAs. If you mint your own cert.s using OpenSSL or the Windows gadget, nobody will have heard of your CA so you have to convince them that you're trustworthy before they'll add your CA's self-signed cert. to their store of trusted authorities. (Of course, some people don't require much convincing.) A private CA is probably best used for internal projects only, since it's a lot easier to develop the necessary trust within a small, closed community. The MS gadget has one other thing going for it: it's all wrapped up in a pretty package so that you can just push a few buttons and have a private CA ready for use. OTOH OpenSSL lets you see what it is doing, and it's flexible enough to do a lot more than just issue magic numbers. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] MS Windows *is* user-friendly, but only for certain values of "user". ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]