Re: Multiple CAs

[Kobus Bensch]

Title: Fullnet Solutions Limited

No this is great thanks. My ultimate aim is to create certs for a site. Then to distribute the certs to only those I want to be able to access the site, any other attempted access need to be denied and do this for each virt host. Sounds like it is possible, but will need to do a bit more reading. Thanks for you help. javierm wrote: Hi Again: Not exactly to associate one CA pero virtual host. This all can be done by only one virtual host, even though you can have all the VH you need. Apache allows you to do many things with just one virtual host. For example, If you notice the directive SSL_Require, it is inside a LOCATION tag, this means you can send every client or every group of clients associated to one sub-CA (i.e. all clients linked to financial-CA), to one specific location of the server, with a specific database, a specific set of directories, and applications, graphics, etc. Yes, recap: 1.- create your root cert : openssl req -x509 -newkey rsa:1024 -keyout cakey.pem -out cacert.pem -days 1095 (3 years for example) 2.- create sub-certs *requests* to be signed by previous root: openssl req -new -key subCA_key.pem -out subCA_req.pem 3.- sign every request with root CA openssl x509 -req -in subCA_req.pem -CA cacert.pem -CAkey cakey.pem -CAcreateserial -extfile openssl.cnf -extensions usr_cert -out subCA1_cert.pem -days 1095 I skipped key creation, you will need a pair for every cert needed. I also skippd the openssl.cnf details, there are heaps to play around including the attributes of every Cert where you say things like the cert is a CA to sign other certs, or it is for email encryption, browser, etc. It's good to have an openssl.cnf for every cert created, because there you can even include the challenge password and other details you later might find difficult to find elsewhere. You could zip or gzip your bundle of openssl.cnf files and then encrypt the whole unit with your own cert. Ok, that's the standard paranoia procedures sure you can make up better ones. From there to Apache ssl_virtual host configuration. Hope this clarifies better. Sorry if I went into too stupid/obvious things. Regards. Kobus Bensch - No Sig wrote: Hi I have on CA That one CA can generate multiple Certs that can then be used per apache virtual host to allow only that one client to connect to that virtual host with a specified port number? End result = better management and an organised cert setup. Kobus --     35 St. Lukes Road Maidenhead Berkshire SL6 7DN United Kingdom Telephone: +44 (01628) 675 978 Facsimile: +44 (07092) 289 990 Mobile Phone: +44 (07703) 503 733 Skype ID: fullnetsolutionsltd Kobus Bensch: kben...@fullnet.co.uk Information: i...@fullnet.co.uk> Sales Team: fslsa...@fullnet.co.uk WWW: http://www.fullnet.co.uk Registered in England & Wales, Company Number 3568937 VAT registration number: UK 714 7309 42 E & O.E. All prices exclude VAT & Carriage unless otherwise specified. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system administrator by emailing ad...@fullnet.co.uk with the subject "eMail Confidentiality Query!". The content of this email does not necessarily reflect the views or opinions of Fullnet Solutions Limited. If you have any queries or complaints please email i...@fullnet.co.uk with the subject "eMail Comment/Complaint Query!". This footnote also confirms that this email message has been scanned for the presence of computer viruses. Fullnet Solutions Limited can however not be held responsible for any virus infections on the recipients or any other systems. For more information regarding the solutions Fullnet has to offer please email sa...@fullnet.co.uk with the subject "Sales Query!".

signature.asc
Description: OpenPGP digital signature