LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices



Reply
 
Search this Thread
Old 09-02-2005, 03:06 PM   #1
24jedi
Member
 
Registered: Jul 2003
Location: Richmond, VA
Distribution: FreeBSD 5.4
Posts: 75

Rep: Reputation: 15
Using OpenSSL to generate certificates


Installed openssl-0.9.7e onto FreeBSD 5.4

Can I use the same myca.key file to create alpha.crt and beta.crt ?
Are there any implications I should be aware of in doing so, aside from not using a CA like Versign ?
We are thingking of using these keys for a productions website where:

https://alpha.domain.com
https://beta.domain.com

I took the following steps to create two separate openssl certificate files.

From bsd command prompt
# openssl dsaparam -rand -genkey -out myRSA.key 1024

Next, generate the CA key:

# openssl gendsa -des3 -out myca.key myRSA.key
# Enter PEM pass phrase: {spongebob} , enter
# confirm PEM pass phrase: {spongebob} , enter

Change permissions to *.key files
# chmod 400 myca.key
# chmod 400 myRSA.key

Use this key to create the certificate:
Two certificates required, one for (alpha) and one for (beta)

Generate alpha.crt
# openssl req -new -x509 -days 1095 -key myca.key -out alpha.crt
# Enter pass phrase for myca.key: {spongebob}
# Country Name (2 letter code) [AU]: US
# State or Providence Name (Full Name) [some-state]: some-state
# Locality Name (eg, city) [ ] : city
# Organizational Name (eg, company) [ ] : Acme Corp
# Organizational Unit (eg, section) [ ] : Systems Administrator
# Common Name (eg, Your Name) [ ] : alpha.domain.com
# Email address [ ] : NOC@domain.com

Generate beta.crt
# openssl req -new -x509 -days 1095 -key myca.key -out beta.crt
# Enter pass phrase for myca.key: {spongebob}
# Country Name (2 letter code) [AU]: US
# State or Providence Name (Full Name) [some-state]: some-state
# Locality Name (eg, city) [ ] : city
# Organizational Name (eg, company) [ ] : Acme Corp
# Organizational Unit (eg, section) [ ] : Systems Administrator
# Common Name (eg, Your Name) [ ] : beta.domain.com
# Email address [ ] : NOC@domain.com

# chmod 400 alpha.crt
# chmod 400 beta.crt

Thanks
 
Old 09-04-2005, 11:34 PM   #2
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
If you create self-signed ceritifcates, users will get a warning visiting your site telling them that your certificates have not been signed by a trusted authority.
 
Old 09-05-2005, 09:37 AM   #3
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,455

Rep: Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172
For a web-site, I agree that you should purchase a trusted certificate. I purchased one from http://www.entrust.net at quite a discount.

It's not a question of 'one certificate being more secure than another.' They are not. The technology is exactly the same, as is the security. It's a matter of appearances. And in this case, appearances matter.

For all internal uses, such as VPN communications within the network, transfers between the web-host and an SQL back-end machine, and so-on, use strictly internally-generated, self-signed keys and keep the master-keys on devices that are locked in a safe-box. This keeps anyone who is in posession of a public key from getting anywhere beyond the web-server (DMZ) layer.
 
Old 09-06-2005, 08:41 AM   #4
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
I've never worked with them before, but I hear good things about directNIC for certificates.
 
Old 09-06-2005, 10:29 AM   #5
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,455

Rep: Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172
As long as the certificates will be on commonly-distributed browser lists, any one of them will do. The security in all cases is exactly the same.

And, frankly, people might simply accept your self-signed certificate. You know your own users best.
 
Old 09-10-2005, 01:01 AM   #6
24jedi
Member
 
Registered: Jul 2003
Location: Richmond, VA
Distribution: FreeBSD 5.4
Posts: 75

Original Poster
Rep: Reputation: 15
Thank you all for your replies.

True...the end-users are known, AAA are additional steps we will be taking to securing the websites. I am sure in the end we will purchase a cert from a CA...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
why can't i generate a new certificate with openssl? achouramira Linux - Security 1 04-28-2005 08:15 AM
SSL certificates the-chains Linux - Software 0 11-15-2004 08:12 PM
Firefox...Certificates ZingSter Suse/Novell 2 10-25-2004 11:33 AM
OpenSSL Certificates time112852 Linux - Security 1 05-01-2004 05:27 PM
ssl certificates Syncrm Linux - General 7 02-26-2003 11:01 AM


All times are GMT -5. The time now is 10:27 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration