HPE Community
Operating System - HP-UX
1822147 Members
4212 Online
109640 Solutions
New Discussion юеВ

SSL CA Certificate

 
SOLVED
Go to solution
Shivkumar
Super Advisor

тАО01-31-2006 11:21 AM

тАО01-31-2006 11:21 AM

SSL CA Certificate

Dear Sirs,

How do you create and install CA certificate in SSL. We don't want to use third party SSL tool like verisign and thwate etc.
We have our own site where various types of certificates can be created.

I have created key and certificate in the past but never created and installed CA Certificate.

Can someone shed some light on CA certificate ?

Thanks,
Shiv
0 Kudos
Reply
8 REPLIES 8
Chan 007
Honored Contributor

тАО01-31-2006 11:29 AM

тАО01-31-2006 11:29 AM

Re: SSL CA Certificate

Shiv,

http://www.openssl.org/docs/apps/ca.html

I haven't used it ...

Chan
0 Kudos
Reply
Arunvijai_4
Honored Contributor

тАО01-31-2006 03:18 PM

тАО01-31-2006 03:18 PM

Solution

Re: SSL CA Certificate

Hi Shiv,

CA - Certificate Authority. In cryptography, a certificate authority or certification authority (CA) is an entity which issues digital certificates for use by other parties. It is an example of a trusted third party. CA's are characteristic of many public key infrastructure (PKI) schemes.

A CA will issue a public key certificate which states that the CA attests that the public key contained in the certificate belongs to the person, organization, server, or other entity noted in the certificate.

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
Reply
Arunvijai_4
Honored Contributor

тАО01-31-2006 03:33 PM

тАО01-31-2006 03:33 PM

Re: SSL CA Certificate

Hi Shiv,

If you want to setup your own CA to use in your Intranet, do it with OpenSSL. OpenSSL is fully supported by HP and available to download from,

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=OPENSSL11I

Release notes at,
http://www.docs.hp.com/en/5991-4792/index.html

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
Reply
Arunvijai_4
Honored Contributor

тАО01-31-2006 03:47 PM

тАО01-31-2006 03:47 PM

Re: SSL CA Certificate

Hi Shiv,

You can setup your own CA with this guide,
http://sial.org/howto/openssl/ca/

Make sure you use OpenSSL downloaded from the above link (previous post)

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
Reply
David Nixon
Valued Contributor

тАО02-01-2006 11:16 PM

тАО02-01-2006 11:16 PM

Re: SSL CA Certificate

You can use the Certificate import Wizard
to install a CA certificate under Windows.

Under UNIX its simply a matter of distributing the World readable certicate to whichever directory is the
default location scanned by SSL clients for lists of trusted CAs (/opt/openssl/certs under HP-UX).

I use Rdist for that purpose.

As you have already created certificates you
will be familiar with the tool used to create
a CA certificate.

You need to make arrangemnets within your
organisation for securely storing the CA key
- which you will use to sign server certificates.
Make sure you keep offline backup copies.

Reply
Steven E. Protter
Exalted Contributor

тАО02-01-2006 11:36 PM

тАО02-01-2006 11:36 PM

Re: SSL CA Certificate

Shalom Shiv,

A scripted solution.

#!/bin/sh

echo "name is: $1"


touch certindex.txt
touch index.txt
openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 3650 -con
fig /etc/openssl.cnf
openssl req -new -nodes -out ${1}-req.pem -keyout private/${1}-key.pem -config /
etc/openssl.cnf
openssl ca -out ${1}-cert.pem -config /etc/openssl.cnf -infiles ${1}-req.pem

certf="${1}-cert.pem"
keyf="private/${1}-key.pem"


cp $keyf /etc/httpd/conf/ssl.key/
cp $certf /etc/httpd/conf/sss.crt/


Change the shell. Change the location of the configuration files.

This script is tested and works on HP-UX and Linux. When you are done, copy the files to the locations referred to in the configuration files.

I built this after reading documents at http://www.openssl.org

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Steven E. Protter
Exalted Contributor

тАО02-01-2006 11:40 PM

тАО02-01-2006 11:40 PM

Re: SSL CA Certificate

Shiv,

I re-read the thread.

I absolutely recommend against downloading ssl from the sources listed above.

For HP-UX you should get openssl from the Internet Express download. For Linux you should get the binary distributions from the Linux distribution vendor.

This is a very important security product and in the above mentioned sources you can be assured that the products have been properly tested.

openssl is a great organization and they know how to create and distribute their product. It is perferable to use versions on HP-9000 servers that have been ported and tested by HP.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Arunvijai_4
Honored Contributor

тАО02-01-2006 11:47 PM

тАО02-01-2006 11:47 PM

Re: SSL CA Certificate

Hi Shiv,

OpenSSL comes with a nifty utilities namely, CA.pl and CA.sh used as frienlier interface for OpenSSL certificate programs, more information can be found at,

http://www.openssl.org/docs/HOWTO/certificates.txt

# man CA.pl

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.