Hello everyone, I have a server application that will use Openssl to communicate with its clients over SSL secured channel. This server requires a unique signed server certificate. I plan to use my personal CA to issue these server certificates.
Now for the ease of deployment, I plan to create server certificates as part of server installation procedure. For this, I plan to embed the openssl utility in my server installer. The user will be prompted for some information like C/ST/OU/CN etc. and a certificate request will be generated using the embedded openssl application. With this, every server will have its own certificate request. Now in order to get these requests signed by the CA, I can either: 1. Ask the user to send the request to me, and I will send back the signed certificate 2. Embed my CA certificate in the installer, and sign the certificate request then and there as it is generated. I am more inclined towards the second option as it saves the user and myself from exchanging the cert request / signed certificates. But I feel that this will be more risky, as in order to sign the certificate, I will have to make my CA private key available in the installer (Is this correct understanding?). So could someone guide me with the best practices used in such scenarios? Is there a way to securely embed the private key in the installers / CA certificate? Thanks, ~ Urjit DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Pvt. Ltd. does not accept any liability for virus infected mails.
