[olug] which digital certificate authority?

Sam Tetherow tetherow at nicusa.com
Mon Sep 29 20:43:47 UTC 2003


it's not the server.crt you want to make available it is the CA.crt.  It 
adds that cert to the trusted cert list so any cert signed by it is 
considered trusted.  If you are only dealing with the single www cert 
yes you can just het trust forever.  If you have several certs it is 
alot easier to just add the CA cert instead of each one individually.

Brian Wiese wrote:
> On Mon, 29 Sep 2003 11:17:10 -0500
> Sam Tetherow <tetherow at nicusa.com> wrote:
> 
> |if you don't want to spend the afternoon to figure out how to do a self 
> |signed cert for internal stuff then I think the $49/year wouldn't be 
> |that unreasonable.  But really it doesn't take much to do it, check the 
> |mod_ssl FAQ for the quick and dirty how to ( 
> |http://www.modssl.org/docs/2.8/ssl_faq.html#ToC27 )
> 
> There's also a script that comes with mod_ssl, "mod-ssl-makecert.sh" which
> will take you though all the prompts and generate the CA and the self
> signed cert for you.  I found that pretty handy, though I did spend at
> least a couple hours playing with it to understand it a little better. 
> Getting a cert, and understanding the whole process may take you from
> 20mins to an afternoon.. but I'm sure Neal understands this whole csr,
> crt, crl, key stuff is.
> 
> as for...
> 
> |All you need to do is load the signing cert into the browser's list of 
> |acceptable CAs to get rid of this message.  Under Netscape/Mozilla all 
> |you need to do is view the .crt file with the browser.  I don't 
> |remember, but I'm pretty sure it atleast asks for confirmation.
> |
> |To get it loaded under IE (included for compeleteness) you save the .crt 
> |to disk, then open the file and it should launch the certificate wizard.
> 
> Do I need to just make the "server.crt" file available for download for
> the clients to install this, or can they usually just say "trust forever"
> (not an option in IE?) this cert when the window pops up on the first time
> visiting the site?
> 
>  Brian Wiese | bwiese(at)cotse.com | aim: unolinuxguru
> -------------------------------------------------------
>   GnuPG/PGP key 0x2FD6AF16 | "FREEDOM!" - Braveheart 
> ------------------------------------------------------- 
> Please avoid sending me Word or PowerPoint attachments.
> See http://www.fsf.org/philosophy/no-word-attachments.html
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> http://lists.olug.org/mailman/listinfo/olug
> 


-- 
------------------------------------------------------------------------
Sam Tetherow                           tetherow at nicusa.com
Director of Development
NIC Labs (PSSG)                        http://www.nicusa.com



More information about the OLUG mailing list