LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (http://www.linuxquestions.org/questions/linux-software-2/)
-   -   Using OpenSSL to generate certificates (http://www.linuxquestions.org/questions/linux-software-2/using-openssl-to-generate-certificates-359579/)

24jedi 09-02-2005 02:06 PM

Using OpenSSL to generate certificates
 
Installed openssl-0.9.7e onto FreeBSD 5.4

Can I use the same myca.key file to create alpha.crt and beta.crt ?
Are there any implications I should be aware of in doing so, aside from not using a CA like Versign ?
We are thingking of using these keys for a productions website where:

https://alpha.domain.com
https://beta.domain.com

I took the following steps to create two separate openssl certificate files.

From bsd command prompt
# openssl dsaparam -rand -genkey -out myRSA.key 1024

Next, generate the CA key:

# openssl gendsa -des3 -out myca.key myRSA.key
# Enter PEM pass phrase: {spongebob} , enter
# confirm PEM pass phrase: {spongebob} , enter

Change permissions to *.key files
# chmod 400 myca.key
# chmod 400 myRSA.key

Use this key to create the certificate:
Two certificates required, one for (alpha) and one for (beta)

Generate alpha.crt
# openssl req -new -x509 -days 1095 -key myca.key -out alpha.crt
# Enter pass phrase for myca.key: {spongebob}
# Country Name (2 letter code) [AU]: US
# State or Providence Name (Full Name) [some-state]: some-state
# Locality Name (eg, city) [ ] : city
# Organizational Name (eg, company) [ ] : Acme Corp
# Organizational Unit (eg, section) [ ] : Systems Administrator
# Common Name (eg, Your Name) [ ] : alpha.domain.com
# Email address [ ] : NOC@domain.com

Generate beta.crt
# openssl req -new -x509 -days 1095 -key myca.key -out beta.crt
# Enter pass phrase for myca.key: {spongebob}
# Country Name (2 letter code) [AU]: US
# State or Providence Name (Full Name) [some-state]: some-state
# Locality Name (eg, city) [ ] : city
# Organizational Name (eg, company) [ ] : Acme Corp
# Organizational Unit (eg, section) [ ] : Systems Administrator
# Common Name (eg, Your Name) [ ] : beta.domain.com
# Email address [ ] : NOC@domain.com

# chmod 400 alpha.crt
# chmod 400 beta.crt

Thanks

Matir 09-04-2005 10:34 PM

If you create self-signed ceritifcates, users will get a warning visiting your site telling them that your certificates have not been signed by a trusted authority.

sundialsvcs 09-05-2005 08:37 AM

For a web-site, I agree that you should purchase a trusted certificate. I purchased one from http://www.entrust.net at quite a discount.

It's not a question of 'one certificate being more secure than another.' They are not. The technology is exactly the same, as is the security. It's a matter of appearances. And in this case, appearances matter.

For all internal uses, such as VPN communications within the network, transfers between the web-host and an SQL back-end machine, and so-on, use strictly internally-generated, self-signed keys and keep the master-keys on devices that are locked in a safe-box. This keeps anyone who is in posession of a public key from getting anywhere beyond the web-server (DMZ) layer.

Matir 09-06-2005 07:41 AM

I've never worked with them before, but I hear good things about directNIC for certificates.

sundialsvcs 09-06-2005 09:29 AM

As long as the certificates will be on commonly-distributed browser lists, any one of them will do. The security in all cases is exactly the same.

And, frankly, people might simply accept your self-signed certificate. You know your own users best.

24jedi 09-10-2005 12:01 AM

Thank you all for your replies.

True...the end-users are known, AAA are additional steps we will be taking to securing the websites. I am sure in the end we will purchase a cert from a CA...


All times are GMT -5. The time now is 03:22 AM.