CA and Certificates

1999-08-19 Thread Patrick Brewer 

I subscribe to this list at work, but I'm sending from home.

I'm just starting here, thanks for responces to my questions about
openssl.cnf.  As I read a little more I'm coming up with new questions.

  If I get a certificate from a CA can I then become a CA and create
certificates for machines in my domain?  Or for virtual hosted domains?

If so how can I create a certificate at other than compile time?  I gather
that it is possible to create a certificate using openssl (the command), but I
can't find it documented anywhere.  (I'm running from a binary RPM, from
Mandrake.)  I would hate to have to compile a new copy of apache, each time I
wanted a new certificate.

When I get a real certificate from a CA, can I just copy it over the old
dummy certificate currently being used by my apache server?

Thanks.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: CA and Certificates

1999-08-20 Thread Leland V. Lammert 

At 04:39 AM 8/19/99 -0400, Patrick Brewer wrote:
>
>  If I get a certificate from a CA can I then become a CA and create
>certificates for machines in my domain?  Or for virtual hosted domains?
>
The certificate you receive is 'branded' to the site name in the request, and
can only be used on the named site. This establishes your traceability for a
'trust' relationship between your server and SSL enabled browsers that ALSO
truse YOUR certificate origin.

Becoming a CA is a different matter, .. involving YOUR issuance of
certificated. IMLK, being a CA has nothing to do WITH getting a certificate
FROM a CA. (What we do is described above.) If you are a CA issuing
certificates, the certificates you issue are installed on the client machines,
and you both have a trust relationship (i.e. the client trusts you, and you
know the client's identity via the certificate you have issued them.)

Each method is completely independent, .. the first involves *MUTUAL* trust of
a public CA, .. the second involved a bi-directional trust between YOUR CA and
identify-proven clients.

>If so how can I create a certificate at other than compile time?  I gather
>that it is possible to create a certificate using openssl (the command), but I
>can't find it documented anywhere.  (I'm running from a binary RPM, from
>Mandrake.)  I would hate to have to compile a new copy of apache, each time I
>wanted a new certificate.
>
Compile time has nothing to do with it. A self-created certificate is usable in
either case above, though for the first case the client will get a few screens
(four in NN) asking if they trust the issuer of the cert (i.e. you). If so, SSL
is permitted.

>When I get a real certificate from a CA, can I just copy it over the old
>dummy certificate currently being used by my apache server?
>
Yes, assuming the names match.

Lee

   Leland V. Lammert[EMAIL PROTECTED]
  Chief Scientist Omnitec Corporation
  Network/Internet Consultants  www.omnitec.net

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]