On 28-May-10, at 8:04 PM, Dallas Clement wrote:
This is probably a dumb question, but if I wanted to be come the next
Verisign of this world, how do I create a legitimate CA cert? I'd
like to be able to create my own that passes verification without
throwing errors, like "unknown CA".
Well, the first thing that you do, is do things that build "Trust", or
the perception that you are trustworthy. Invest in hardware that will
protect the CA's keys. Build processes that protect those keys. Use
facilities that give the impression of trust (if you've ever been to
Verisign HQ for a key ceremony, you'll appreciate the amount of
"theater" that they do :). Then, document all of these in your
"Certificate Policy" and Certification Practice Statement, along with
all of the ways that you go about binding people or servers to their
associated keys, and how you manage all of your personnel and
facilities that are used in the operation of the CA, and issuance of
certificates by that CA. When you cut your keys, do it in the presence
of an auditor, and according to a proper key ceremony script.
Once you have this, then get audited to prove that you are following
your certificate policy. Most of the browser vendors, to be included
in their "Trusted Roots" list, like to see a Webtrust audit. If you
want to be included in the list that can validate EVSSL certs, then
you have to also follow the guidelines of the CA/Browser forum.
Most of the vendors, however, also have the caveat that in order to be
included in their list, you have to be a commercial entity that are
issuing certs to "John Q Public". If you only issue to people within a
small, closed community, then you'll have to talk pretty fast to get
them to accept your CA into their browser.
That's it. If you need any help, give us a call :)
---
Patrick Patterson
President and Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
