Joel
2005-01-19 07:27:10 UTC
Had another newbie type question --
When reading about how to set up a self-signed web server, the docs I
read indicate there is a need for two certificates -- one being a
self-signed certificate for the entity certifying the server, and the
other being the certificate the web server gives out (certified by the
self-signed certificate).
Reading the RFCs and the docs, it seems like CAs would similarly have
the certificate(s?) they operate under and the certificate they give out.
And it looks like a root CA does not give out its self-signed
certificate. (Or does it? I'm not sure where in RFC 3280 I got this idea.
The paragraph I'm reading now about pathLenConstraint makes it look like
the root CA does give out his self-signed certificate when he gives one
out -- talking about the count of non-self-signed certificates.)
Does setting up a root CA require generating a self-signed certificate,
and then generating an operating certificate signed under the
self-signed certificate, or am I thinking too hard and as confused as
usual?
--
Joel Rees <rees-fctGxyACD9F3+***@public.gmane.org>
digitcom, inc. $B3t<02q<R%G%8%3%`(B
Kobe, Japan +81-78-672-8800
** <http://www.ddcom.co.jp> **
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
When reading about how to set up a self-signed web server, the docs I
read indicate there is a need for two certificates -- one being a
self-signed certificate for the entity certifying the server, and the
other being the certificate the web server gives out (certified by the
self-signed certificate).
Reading the RFCs and the docs, it seems like CAs would similarly have
the certificate(s?) they operate under and the certificate they give out.
And it looks like a root CA does not give out its self-signed
certificate. (Or does it? I'm not sure where in RFC 3280 I got this idea.
The paragraph I'm reading now about pathLenConstraint makes it look like
the root CA does give out his self-signed certificate when he gives one
out -- talking about the count of non-self-signed certificates.)
Does setting up a root CA require generating a self-signed certificate,
and then generating an operating certificate signed under the
self-signed certificate, or am I thinking too hard and as confused as
usual?
--
Joel Rees <rees-fctGxyACD9F3+***@public.gmane.org>
digitcom, inc. $B3t<02q<R%G%8%3%`(B
Kobe, Japan +81-78-672-8800
** <http://www.ddcom.co.jp> **
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org