[ale] https

Greg runman at telocity.com
Wed Feb 13 23:40:11 EST 2002


here is something that came up on the misc at openbsd.org list about "being
your own cert authority".  Perhaps it can help.I have posted the latest at
the top (yeah, I know... don't top post...but 'tis already ctrl-v'd)


actually, if you have the source distribution installed on your system
you'll find CA.pl and CA.sh

# ls  /usr/src/lib/libssl/src/apps/
CA.com            demoCA            gendsa.c          progs.h	server.pem
CA.pl             der_chop.in       genrsa.c          progs.pl	server.srl
CA.pl.in          dgst.c            install.com       rand.c	server2.pem
CA.sh             dh.c              makeapps.com      req.c	sess_id.c
CVS               dh1024.pem        md4.c             req.pem	set
Makefile.ssl      dh2048.pem        md5.c             rmd160.c	smime.c
app_rand.c        dh4096.pem        nseq.c            rsa.c 	speed.c
apps.c            dh512.pem         oid.cnf           rsa8192.pem	 spkac.c
apps.h            dhparam.c         openssl-vms.cnf   rsautl.c	 testCA.pem
asn1pars.c        dsa-ca.pem        openssl.c         s1024key.pem	testdsa.h
ca-cert.srl       dsa-pca.pem       openssl.cnf       s1024req.pem	testrsa.h
ca-key.pem        dsa.c             passwd.c          s512-key.pem	verify.c
ca-req.pem        dsa1024.pem       pca-cert.srl      s512-req.pem	version.c
ca.c              dsa512.pem        pca-key.pem       s_apps.h	winrand.c
cert.pem          dsap.pem          pca-req.pem       s_cb.c	x509.c
ciphers.c         dsaparam.c        pkcs12.c          s_client.c
client.pem        enc.c             pkcs7.c           s_server.c
crl.c             errstr.c          pkcs8.c           s_socket.c
crl2p7.c          gendh.c           privkey.pem       s_time.c

diana

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
On Thursday 14 February 2002 00:44, you wrote:
> Contact the openCA mailing list they take a long time to reply,
> But basically, with openCA you can be a certificate authority, witch
> means you can issue certificates, for whatever purpose you need them.

Actually, you dont need OpenCA to be your own CA.

http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/doc/myownca.html
http://cognac.epfl.ch/SIC/SL/CA/
http://www.sendmail.org/~ca/email/other/cagreg.html

Note that you'll need CA.pl or CA.sh, neither of which is included in
OpenBSD
(at least I cant find them anywhere). Just get the openssl distfile and copy
them from there.

Lars Hansson
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Contact the openCA mailing list they take a long time to reply,
But basically, with openCA you can be a certificate authority, witch
means you can issue certificates, for whatever purpose you need them.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----Mensagem original-----
De: owner-misc at openbsd.org [mailto:owner-misc at openbsd.org] Em nome de
Mahdi Kefaiati
Enviada: domingo, 10 de Fevereiro de 2002 8:39
Para: misc at openbsd.org
Assunto: OpenCA, PKI

in the name of the dearest

dear friends,
i'm completely confused about OpenCA.
thats because i havn't found any
document about it, all that is out of
date.
please help me as soon as possible.
thanx.
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com


> -----Original Message-----
> From: fgz [mailto:fzamenski at voyager.net]
> Sent: Wednesday, February 13, 2002 9:58 PM
> To: Greg
> Subject: Re: [ale] https
>
>
>
> ----- Original Message -----
> From: "Greg" <runman at telocity.com>
> To: "Geoffrey" <esoteric at 3times25.net>; <ale at ale.org>
> Sent: Wednesday, February 13, 2002 3:02 PM
> Subject: RE: [ale] https
>
>
> > I think that the certificate businesses (Verisign and Thwate) do some
> > research into the certificate holder to make sure that it is a "real"
> > business and not some 3l33t hax0r.... but I came across someone's
>
> Yes. Also, Verisign (the CA we use) requires a Dunn and Bradstreet
> number for your business. Don't know if that can be waived for small
> ma and pa outfits. They require three contacts in your biz as part of the
> reg process, one of which is the primary contact (usually an IS mgr),
> a tech contact (myself), and the purchasing/licensing agent. The primary
> is the one they call (I think, I know I am never called). Currently
> $249/yr for a 40 bit certificate, to a whopping $849/yr for 128 bit.
>
> ..snip..
> > their "OK'ing" stuff when the cert is from Verisign/Thwate.
> However, let
> us
> > not forget that a black hat got 9 certificate #'s that belonged to our
> dear
> > friends from Redmond.  Of course when it made the news MS made a patch
> that
> > would fix IE to not trust the 9 numbers (and what else it did I don't
> know).
> >
>
> So much for verification? :)
>
> Seriously, I bet some heads rolled over that one. And rightfully so.
>
> > It depends on what degree of security you want and how much you are
> willing
> > to do/pay for.  My last job just used a self generated
> certificate, but we
> > were not dealing with any e-commerce.
> >
>
> Good enough for internal use only. IMO, if I went to a commercial site
> that was self-certified, I'd think not twice, but thrice, before giving
> any CC or personal info. But that's just me.
>
> > Basically you are correct in your summation concerning the cert
> pimps and
> > "joe the web guy".
> >
>
> Got a chuckle out of that too. :)
>
> > Greg the web guy (not to be confused w/ joe the web guy)
> >
>
> 'k.
>
> -fgz
>
>
>
>


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list