Autosigned Certificates : Need explanation

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Autosigned Certificates : Need explanation

max-18
Hello all,

I'm a newbie in ssl and certificates and I need some explanation about
(I've already red manuals and howtos but still too dark for me) :
On debian,
* To generate a self-signed certificate, I use these commands :
   
/usr/lib/ssl/misc/CA.sh -newca
openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
/usr/lib/ssl/misc/CA.sh -sign

Files resulting of these operations are demoCA/cacert.pem
demoCA/private/cakey.pem, newreq.pem, newcert.pem

Questions : These commands are they sufficient and good ?
                   To generate other certificates on the same host,
should I execute again (and use the demoCA):
                 
                   openssl req -newkey rsa:1024 -nodes -keyout
newreq.pem -out newreq.pem
                   /usr/lib/ssl/misc/CA.sh -sign

                   in the same directory ?

                   Self signed certificates, even if they are not signed
by an official CA, provide a good security level for TLS communications ?
                   Can I obtain official and free certificates ?

To finish, the recurrent issue (sorry), but in a real case :
    I've got to servers with mail servers and openldap (both in a lan
but not in the same site) and I want to replicate openldap db using TLS.
    machine 1 name : server1.domain.com
    machine 2 name: server2             (no domain name)
   
    theses machines have no entry in dns (like ldap.domain.com).

    During CA creation, what Common Name should I provide on each host ?
    During selfsigned certificates creation, what Common Name should I
provide on each host ?

    Should I use the same CA for both certificates ?


If someone could answer simply and clearly, it could be helpful.

Thx.

Max

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Autosigned Certificates : Need explanation

dmitrik
Also a newbie to ssl, but with the help of this list got it working a few weeks ago.

This document was very helpful for me when installing on solaris, even though it is for RH, and you are using debian

http://www.linux-sxs.org/internet_serving/apache2.html

Also, for Common Name, using the IP address of the box worked for me.


-----Original Message-----
From: max <[hidden email]>
Sent: Aug 30, 2005 6:09 AM
To: [hidden email]
Subject: Autosigned Certificates : Need explanation

Hello all,

I'm a newbie in ssl and certificates and I need some explanation about
(I've already red manuals and howtos but still too dark for me) :
On debian,
* To generate a self-signed certificate, I use these commands :
   
/usr/lib/ssl/misc/CA.sh -newca
openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
/usr/lib/ssl/misc/CA.sh -sign

Files resulting of these operations are demoCA/cacert.pem
demoCA/private/cakey.pem, newreq.pem, newcert.pem

Questions : These commands are they sufficient and good ?
                   To generate other certificates on the same host,
should I execute again (and use the demoCA):
                 
                   openssl req -newkey rsa:1024 -nodes -keyout
newreq.pem -out newreq.pem
                   /usr/lib/ssl/misc/CA.sh -sign

                   in the same directory ?

                   Self signed certificates, even if they are not signed
by an official CA, provide a good security level for TLS communications ?
                   Can I obtain official and free certificates ?

To finish, the recurrent issue (sorry), but in a real case :
    I've got to servers with mail servers and openldap (both in a lan
but not in the same site) and I want to replicate openldap db using TLS.
    machine 1 name : server1.domain.com
    machine 2 name: server2             (no domain name)
   
    theses machines have no entry in dns (like ldap.domain.com).

    During CA creation, what Common Name should I provide on each host ?
    During selfsigned certificates creation, what Common Name should I
provide on each host ?

    Should I use the same CA for both certificates ?


If someone could answer simply and clearly, it could be helpful.

Thx.

Max

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]