I think you can make your own CA, if you plan to only test this or want to
have people you know and that know you, setup your root as trusted.
If your purpose is just for using an SSL cert for a website you own, then
you are basically better off just buying one from Verisign, Thawte, whoever.
If you plan to start your own SSL issuing service, then this is a different
story, you will need to look at WebTrust compliance as a starting point.
-Eduardo
-----Original Message-----
From: Mounir IDRASSI
Sent: Friday, October 22, 2010 2:26 PM
To: openssl-users@openssl.org
Subject: Re: error: unable to get local issuer certificate
Hi Ariel,
If you want to avoid browsers warning, your only option is to get a
valid certificate for your users from a commercial CA. You can get them
for free from StartSSL for example (http://www.startssl.com/).
If you represent an organization, then you can try to qualify for the
intermediate CA programs offered by commercial CAs. This involves being
audited and vetted and this comes with some limitations. Of course, the
price for such a program can be very high depending on your needs.
I hope this clarifies things for you.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
On 10/22/2010 7:03 PM, Ariel wrote:
Hi Dave, thanks for your reply but...
On Thu, Oct 21, 2010 at 7:52 PM, Dave Thompson <dthomp...@prinpay.com
<mailto:dthomp...@prinpay.com>> wrote:
> From: owner-openssl-us...@openssl.org
<mailto:owner-openssl-us...@openssl.org> On Behalf Of Ariel
> Sent: Thursday, 21 October, 2010 16:34
> On Thu, Oct 21, 2010 at 12:44 AM, sandeep kiran p
<sandeepkir...@gmail.com <mailto:sandeepkir...@gmail.com>> wrote:
> mydomain.com.crt is an End-Entity certificate and
not a CA
cert. <snip>
> So basically you mean that I can't use "mydomain.com.crt"
to sign
and issue
> new certificates for my clients? I thought I can using the bundle or
intermediate
> one they provided to me. Sorry for my ignorance but I don't know
too much
> how does it work and this is annoying to me :S
> I only want to generate and issue new certificates that my
clients
can install
> in their browsers and then provide it to me (SSL Client
certificate) when
they come
> to my site. Is this possible without having to create a
self-sign CA cert
that causes
> browsers to not recognize it as a valid CA? Can I provide a trusted
chained root
> with the certificates I'm trying to issue?
> [sandeep?] So you either need to get a CA cert from GoDaddy or
setup a
test CA
> on your own using OpenSSL. GoDaddy, I am sure would not provide
you with a
CA
> certificate as that would then empower you to <snip rest>
Do as sandeep said. Create your own private CA with OpenSSL. You issue
certs to clients (who request them) and set your server(s) to
trust your
private root and thus the certs presented by the clients. Your server
presents the cert issued to it under a real CA which the clients
trust.
This means I need to create my own self-signed CA cert, right? And this is
what I'm trying to avoid "Because there is no established trust hierarchy
leading to a self-signed certificate, it is impossible to verify that a
self-signed certificate is genuine." [1]
I was reading here [2] because this is what I'm trying to do: SSL Client
Authentication; but my problem is in how to setup or get a valid ca.crt
that can use to sign and issue new client certificates and that will also
validate properly.
Is this possible?
Thanks for your help,
- Ariel
[1]
http://publib.boulder.ibm.com/infocenter/zos/v1r10/index.jsp?topic=/com.ibm.zos.r10.ikya100/intermed.htm
[2]
http://www.symantec.com/connect/articles/apache-2-ssltls-step-step-part-3
The only tricky bit is if your clients need to authenticate themselves
to some *other* server(s) besides yours. Then they need to be able to
select 'key/cert for Ariel' versus other, perhaps public, key/cert(s).
Your server should do SSL_[CTX_]set_client_CA_list to your private
root;
this will send a 'hint' to the client which cert to present --
although
it's up to the client to actually obey this hint, it's not
required to.
Plus of course you need to ensure that the people/machines you issue
certs to are in fact the ones you want as clients. Although if you
make a mistake, you can issue your own CRL(s) which your server
checks.
(And if it's convenient to put your CA on the same machine as your
server,
this greatly simplifies the CRL distribution procedure. <G?>)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
<mailto:openssl-users@openssl.org>
Automated List Manager majord...@openssl.org
<mailto:majord...@openssl.org>
--
Ariel Diaz Bermejo
http://www.linkedin.com/in/adiazbermejo
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
