A self signed certificate is of no use as it is not signed by a third party. There are such well known third parties like verisign and thawte. But getting a certificate signed is a complex and costly process. If you need to form a small trust community (e.g. For your company or with your clients) you can create your own Certificate Authority. The process is not that complex as it sounds. Thanks to a pearl script available in OpenSSL distribution of cource. If you have used default installation settings, this script (CA.pl) can be located in /usr/lib/ssl/misc/CA.pl. First of all create a directory for you CA. Then copy CA.pl and /usr/lib/ssl/openssl.cnf to the directory you just created. Run the CA.pl script.
%./CA.pl -newca
If you press enter key, the script will create a new certificate/key pair for you. If you already have a certificate and you need to use it, just type the filename. Now you have a certificate authority setup in a sub directory called "demoCA". Simple, right? Let's try to sign a certificate using the CA we have just set up. Copy your certificate request to the current directory and rename it to newreq.pem (In the next section we will discuss how to generate a certificate request). Then issue the following command.
%./CA.pl -sign
If everything is successful and the request is a valid one, a new certificate called newcert.pem will be created in the same directory.
No comments:
Post a Comment