[PLUG] Signing Certs with OpenSSL?
Paul Heinlein
heinlein at attbi.com
Tue May 7 19:17:32 UTC 2002
On Tue, 7 May 2002, Wil Cooley wrote:
> I don't know if anyone here is going to know how to do this, other
> than perhaps Alan, but it's worth a shot. When I get a cert from
> Thawte, one of the formats offered is supposedly able to be used for
> signing other certs. The idea being, I've got a cert signed by a
> recognized CA and am able to extend my trust to a customer's cert,
> so instead of my customers having to go to Verisign or Thawte (now
> the same company), they can go directly to us. From my
> understanding, this should be possible, but I've never quite figured
> out how to do it. Anyone know?
Wil,
The OpenSSL stuff often ships with a CA.sh or CA.pl script.
Eye-grepping it will be instructive. Red Hat 7.1 even includes a man
page for the Perl version of the CA script.
In general, you'd want to create your own Certificate Authority (CA).
Then have your client generate a key (specific to the host on which
it'll operate) and a cert request based on that key. Your CA would
then create a new cert based on the client's request. Ship the new
cert back to your client, install it wherever, point the client's SSL
apps at it, et voila.
--Paul Heinlein <heinlein at attbi.com>
More information about the PLUG
mailing list