Sorry, I wasn't clear in my question. (I'm confused, I know.)
(And thanks for trying to help a confused newb. ;-)
On Wed, 19 Jan 2005 16:27:10 +0900
Joel <[EMAIL PROTECTED]> mumbled unintelligibly:
> Had another newbie type question --
>
> When reading about how to set up a self-signed web server, the docs I
> read indicate there is a need for two certificates -- one being a
> self-signed certificate for the entity certifying the server, and the
> other being the certificate the web server gives out (certified by the
> self-signed certificate).
That was from when I was playing with mod_ssl and apache. Got it working,
more or less, and, no, I did not use the self-signed certificate for
mod_ssl, I used the certificate signed with the self-signed certificate.
> Reading the RFCs and the docs, it seems like CAs would similarly have
> the certificate(s?) they operate under and the certificate they give out.
> And it looks like a root CA does not give out its self-signed
> certificate. (Or does it? I'm not sure where in RFC 3280 I got this idea.
> The paragraph I'm reading now about pathLenConstraint makes it look like
> the root CA does give out his self-signed certificate when he gives one
> out -- talking about the count of non-self-signed certificates.)
>
> Does setting up a root CA require generating a self-signed certificate,
> and then generating an operating certificate signed under the
> self-signed certificate, or am I thinking too hard and as confused as
> usual?
This is for an internal application, in which it really doesn't make
sense to have an externally trusted entity sign the CA certificate. We
aren't asking our customers to trust our self-signed certificate, we are
just trying to make sure the person who handed us the floppy with the
certificate is on the other end of the line, so to speak.
(You could say our man in the middle is always "known" to be a "trusted"
employee, in the sense that PKI allows us to talk about mechanized trust.
8-/ )
What I'm trying to ask, if I can get it right this time, is whether a
root CA will be passing its own self-signed certificate out.
I think I've figured it out, by the way. In the case of the web server,
the self-signed certificate is not intended for certifying the web site,
but for certifying the certificate(s) of (a) web site(s), which is why
two are necessary.
But in the case of a CA, the certificate is for signing certificates for
other CAs and won't be given out otherwise. But it would be given out
with the signed certificates for the subordinate CAs.
But if the root CA machine is also signing server certificates (which it
should not, but that's another story), it should have a separate
certificate for signing certificates for servers. Should also have a
separate piece of the directory tree to do it in.
Am I getting warm?
--
Joel Rees <[EMAIL PROTECTED]>
digitcom, inc. 株式会社デジコム
Kobe, Japan +81-78-672-8800
** <http://www.ddcom.co.jp> **
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
