Well, I'm trying to do SSL Client Authentication for my website. So I bought a wildcard cert from GoDaddy and it works pretty well to enable SSL on my site. But now I'm trying to use it for SSL Client Auth for my clients. Then I'm trying to sign, issue and validate client certificates using the one I bought to GoDaddy with NO results :( So I'm wondering if it's possible and if so, how?
Btw, the cert I got from GoDaddy has "CA:false" in its extensions, does it mean that I can't use for the purpose I want? Is it possible, in some way, to create and sign client certificates using the one I got from GoDaddy? How can I include or create a chained root certificates in the certificates I provide/issue to my clients? Hope you can understand my issues. Thanks, - Ariel On Fri, Oct 22, 2010 at 6:04 PM, Eduardo Navarro <eduardo.nava...@live.com>wrote: > I think you can make your own CA, if you plan to only test this or want to > have people you know and that know you, setup your root as trusted. > > If your purpose is just for using an SSL cert for a website you own, then > you are basically better off just buying one from Verisign, Thawte, whoever. > > If you plan to start your own SSL issuing service, then this is a different > story, you will need to look at WebTrust compliance as a starting point. > > -Eduardo > > -----Original Message----- From: Mounir IDRASSI > Sent: Friday, October 22, 2010 2:26 PM > To: openssl-users@openssl.org > Subject: Re: error: unable to get local issuer certificate > > > > Hi Ariel, > > If you want to avoid browsers warning, your only option is to get a > valid certificate for your users from a commercial CA. You can get them > for free from StartSSL for example (http://www.startssl.com/). > > If you represent an organization, then you can try to qualify for the > intermediate CA programs offered by commercial CAs. This involves being > audited and vetted and this comes with some limitations. Of course, the > price for such a program can be very high depending on your needs. > I hope this clarifies things for you. > > Cheers, > -- > Mounir IDRASSI > IDRIX > http://www.idrix.fr > > On 10/22/2010 7:03 PM, Ariel wrote: > >> Hi Dave, thanks for your reply but... >> >> On Thu, Oct 21, 2010 at 7:52 PM, Dave Thompson <dthomp...@prinpay.com<mailto: >> dthomp...@prinpay.com>> wrote: >> >> > From: owner-openssl-us...@openssl.org >> <mailto:owner-openssl-us...@openssl.org> On Behalf Of Ariel >> > Sent: Thursday, 21 October, 2010 16:34 >> >> > On Thu, Oct 21, 2010 at 12:44 AM, sandeep kiran p >> <sandeepkir...@gmail.com <mailto:sandeepkir...@gmail.com>> wrote: >> > mydomain.com.crt is an End-Entity certificate and >> not a CA >> cert. <snip> >> >> > So basically you mean that I can't use "mydomain.com.crt" >> to sign >> and issue >> > new certificates for my clients? I thought I can using the bundle or >> intermediate >> > one they provided to me. Sorry for my ignorance but I don't know >> too much >> > how does it work and this is annoying to me :S >> > I only want to generate and issue new certificates that my >> clients >> can install >> > in their browsers and then provide it to me (SSL Client >> certificate) when >> they come >> > to my site. Is this possible without having to create a >> self-sign CA cert >> that causes >> > browsers to not recognize it as a valid CA? Can I provide a trusted >> chained root >> > with the certificates I'm trying to issue? >> >> > [sandeep?] So you either need to get a CA cert from GoDaddy or >> setup a >> test CA >> > on your own using OpenSSL. GoDaddy, I am sure would not provide >> you with a >> CA >> > certificate as that would then empower you to <snip rest> >> >> Do as sandeep said. Create your own private CA with OpenSSL. You issue >> certs to clients (who request them) and set your server(s) to >> trust your >> private root and thus the certs presented by the clients. Your server >> presents the cert issued to it under a real CA which the clients >> trust. >> >> This means I need to create my own self-signed CA cert, right? And this is >> what I'm trying to avoid "Because there is no established trust hierarchy >> leading to a self-signed certificate, it is impossible to verify that a >> self-signed certificate is genuine." [1] >> >> I was reading here [2] because this is what I'm trying to do: SSL Client >> Authentication; but my problem is in how to setup or get a valid ca.crt that >> can use to sign and issue new client certificates and that will also >> validate properly. >> >> Is this possible? >> >> Thanks for your help, >> >> - Ariel >> >> >> [1] >> http://publib.boulder.ibm.com/infocenter/zos/v1r10/index.jsp?topic=/com.ibm.zos.r10.ikya100/intermed.htm >> [2] >> http://www.symantec.com/connect/articles/apache-2-ssltls-step-step-part-3 >> >> The only tricky bit is if your clients need to authenticate themselves >> to some *other* server(s) besides yours. Then they need to be able to >> select 'key/cert for Ariel' versus other, perhaps public, key/cert(s). >> Your server should do SSL_[CTX_]set_client_CA_list to your private >> root; >> this will send a 'hint' to the client which cert to present -- >> although >> it's up to the client to actually obey this hint, it's not >> required to. >> >> Plus of course you need to ensure that the people/machines you issue >> certs to are in fact the ones you want as clients. Although if you >> make a mistake, you can issue your own CRL(s) which your server >> checks. >> (And if it's convenient to put your CA on the same machine as your >> server, >> this greatly simplifies the CRL distribution procedure. <G?>) >> >> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> <mailto:openssl-users@openssl.org> >> Automated List Manager majord...@openssl.org >> <mailto:majord...@openssl.org> >> >> >> >> -- >> Ariel Diaz Bermejo >> http://www.linkedin.com/in/adiazbermejo >> >> > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > -- Ariel Diaz Bermejo http://www.linkedin.com/in/adiazbermejo
