< Archive:Docs/Drafts | AdministrationGuide | Servers | MailServer
(I have not contributed for a while and after typing this up, I realized I do not remember styles and tags. I will come back to this in couple of days with proper style.)
Commercial SSL is typically hierarchical. Normally there is certificate authority (CA) and a client. Public key of major CA's are provided together with OS, so client certificates signed by them are recognized out of box.
Many guides in FOSS community suggest generation of self-signed certificates. Here any person (with openssl implementation) can act simultaneously CA and a client. This brings two deficiencies:
- There is no key in the system to recognize the certificate;
- The certificate is self-signed, someone is certifying self
We recommend eliminating at least Nr. 2 problem by switching two two tier hierarchy. You wil have to:
- Generate CA self signed certificate and key (this will ask for password)
- openssl req -x509 -newkey rsa:1024 -keyout cakey.pem -out cacert.pem -config ./openssl.cnf
- Generate clients key and a request to CA to sign the certificate (-nodes is for no password)
- openssl req -nodes -newkey rsa:1024 -keyout key.pem -out req.pem -config ./openssl.cnf
- CA signs client request, and
- openssl ca -in req.pem -out newcert.pem -config ./openssl.cnf
- Warning: Be careful to correctly edit the openssl.cnf file and move cakey.pem key as needed by config.
- also issues certificate revocation list
- openssl ca -gencrl -out crl.pem -config ./openssl.cnf