Thanks Mark, that was an extremely helpful explanation. When I asked
this question I was hoping to learn if CA certs are self-signed or if
there is some other procedure to authenticate a CA cert as being
legitimate. From your explanation it sounds like all CA certs are
generated by the CA itself
This should be more widely understood: an application considers a CA
trusted because some human told it so. There is no other way.
The "recognized" CAs are trusted by e.g. your browser because the
maker of the browser decided to trust them and so put them into the
list of trusted CAs that is pac
Back it up with a strong Certificate Practices Statement (CPS):
https://www.verisign.com/repository/cps/index.html
(Also some lawyers :)
/thomas/
- hardjono[AT]mit.eu
> -Original Message-
> From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
> us...@openssl.org] On Behalf Of D
On Saturday 29 May 2010 12:02:44 a list member wrote:
> As somebody who audits CAs for purpose of them getting into trusted root
> list, this is what you have to do:
> a) Obtain WebTrust for certification authorities or ETSI 101 456 standard
> (+ EV guidelines from cabforum.org)
> b) Implement sys
l.org on behalf of Dallas Clement
Sent: Sat 5/29/2010 5:49 AM
To: openssl-users@openssl.org
Subject: Re: How to make a legit CA cert?
Thanks all for the information. This is good stuff to know too. What
I was really trying to understand is the nuts-n-bolts mechanics of how
a legit CA certif
Thanks all for the information. This is good stuff to know too. What
I was really trying to understand is the nuts-n-bolts mechanics of how
a legit CA certificate differs from a self-created one (I know, this
is a dumb question...)
For example, I can create my own for test purposes this way:
op
As somebody who audits CAs for purpose of them getting into trusted root
list, this is what you have to do:
a) Obtain WebTrust for certification authorities or ETSI 101 456 standard (+
EV guidelines from cabforum.org)
b) Implement systems in line with one of these standards. Not cheap. HSM
devices
On 28-May-10, at 8:04 PM, Dallas Clement wrote:
This is probably a dumb question, but if I wanted to be come the next
Verisign of this world, how do I create a legitimate CA cert? I'd
like to be able to create my own that passes verification without
throwing errors, like "unknown CA".
Well, t
You get browser providers to add your root CA cert to their list of inherently
trusted certs.
Failing that, you have your users import your root CA cert to their trusted
authority list once.
-Original Message-
From: owner-openssl-us...@openssl.org on behalf of Dallas Clement
Sent: Fri
