Certificate Heirichy

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Certificate Heirichy

David Busby
Gurus,
   Two questions (perhasp I should have split this)

#1  When I look at Thawte or VeriSign certs that a server has there is a heirichy, Thawte then Me or VeriSign then Me.
Well I made my on CA and signed some certs but they don't have the heirichy like the commercial ones.  What gives?  Do I
need to make a root CA, then another CA signed by root then sign the certs with the second one?

#2 In this hypothetical situation how would someone break in or view the data transmitted?

Hardend Linux/Apache system with only port 443 open in a secure facility (please assueme that hardend means everything
you, dear reader, would do to secure a box).  Now this Apache server is configured only to accept connections from
clients who present a certificate signed by the CA in #1 above.  If the client is not signed I generate and securely
transmit a cert to the client and then open the network to their IP.

/djb
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]