-   Linux - Security (
-   -   OpenSSL CA for Intranet Infrastructure (

slacky 11-16-2004 09:32 AM

OpenSSL CA for Intranet Infrastructure
I need to establish my own root CA for my company Intranet using OpenSSL - right now so I can use SSL on an email system (Postfix TLS and Stunnel for POP3S) and probably later for IIS/Apache web servers. Seems pretty easy, just run -newca and then start making certificates for the servers, and install the root certificate on all client programs (Outlook, Thunderbird).

My question is where do I keep/backup the files and what's best to use for the "Common Name" of the CA? I'm guessing if I make the CA on my workstation, I should be able to backup the demoCA folder and any keys/certificates I've made, or maybe just keep them on a USB key drive. Can I just move these files from my workstation to somewhere else, for example I decide to use an old laptop as a dedicated CA "server" as long as it has openssl installed? And right now I used my workstation's full DNS name as the CN - am I probably better off using something like "My Company CA" instead?


overlord73 11-16-2004 09:43 AM

hi slacky,

the common name of your request must be identical to the hostname of your server!

slacky 11-16-2004 09:48 AM


Originally posted by overlord73
hi slacky,

the common name of your request must be identical to the hostname of your server!

Right, that's what I though at first - which makes sense for the mail servers or the web servers themselves. But what if I create the root CA on a different box, and use it to sign the mail servers certificate? If you look at the some of the root certificates that come with Firefox they don't seem to use hostnames as the CN.

overlord73 11-24-2004 03:26 AM

havenīt tried it, but i think the server certificate is independent from the root CA.

-make CA on machine1
-make cert on machine1
-sign cert on machine1
-copy server.crt and server.key to machine2 in directories

when a client opens the page (on machine2) there comes a warning,because the CA could not be verified or similar... (the private CA is not public!). the client must ignore the message or install the cert. i think thats it!!

All times are GMT -5. The time now is 07:29 PM.