<div dir="ltr"><div><div><div>The point of the CA is that you install that Certificate. Then it becomes a chain of authority.<br><br></div>Root CA <--- this dude is the boss.<br> |<br></div>Intermediate CA - middle manager<br>
|<br></div><div>client cert <-- worker<br><br></div><div>The Root CA will ALWAYS be self-signed. Otherwise it is just an intermediate CA. You designate trust to a CA by installing the root CA into your /etc/ssl/certs and rehashing. Then you can verify by adding a flag for CAPath in openssl to /etc/ssl/certs.<br>
</div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jul 10, 2013 at 10:26 AM, Mike Bean <span dir="ltr"><<a href="mailto:beandaemon@gmail.com" target="_blank">beandaemon@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>OK, here's what I'm really struggling with. I'm trying to get SSL going on a redhat-3 box. I've done enough research to know it's not working because SSL can't find the trusted cert. I figured out that openssl won't trust a self-signed certificate unless you install it a specific directory and link the hash.<br>
<br></div>All of which, can, at least on paper, be verified by running 'openssl verify cert.file'<br><br></div>My question is this. Does your certificate authority (CA) cert, in and of itself have to be trusted as well? What about the key?<br>
<br># openssl verify /etc/pki/tls/myca.crt<br>/etc/pki/tls/myca.crt: CN = XXXXXXXXXXXX, emailAddress = XXXXXXXXXXXXXXXXXXXXXXXXXX<br>error 18 at 0 depth lookup:self signed certificate<br><br><div><div><div><div class="gmail_quote">
<div class="im">
---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Mike Bean</b> <span dir="ltr"><<a href="mailto:beandaemon@gmail.com" target="_blank">beandaemon@gmail.com</a>></span><br></div><div class="im">
Date: Wed, Jul 10, 2013 at 8:42 AM<br>
Subject: Re: materials on SSL?<br>To: CLUE's mailing list <<a href="mailto:clue@cluedenver.org" target="_blank">clue@cluedenver.org</a>><br><br><br><div dir="ltr"><div>Here's another good one: <a href="http://gagravarr.org/writing/openssl-certs/" target="_blank">http://gagravarr.org/writing/openssl-certs/</a><br>
</div>I know I'm kind of answering my own question as I go here, but I thought I'd share with the group anyway, just in case.<br>
</div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jul 10, 2013 at 7:33 AM, Mike Bean <span dir="ltr"><<a href="mailto:beandaemon@gmail.com" target="_blank">beandaemon@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">This one's great!<br><a href="http://www.madboa.com/geek/openssl/" target="_blank">http://www.madboa.com/geek/openssl/</a><div>
<div><br><br><div><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Mike Bean</b> <span dir="ltr"><<a href="mailto:beandaemon@gmail.com" target="_blank">beandaemon@gmail.com</a>></span><br>
Date: Wed, Jul 10, 2013 at 7:20 AM<br>Subject: materials on SSL?<br>To: CLUE's mailing list <<a href="mailto:clue@cluedenver.org" target="_blank">clue@cluedenver.org</a>><br><br><br><div dir="ltr"><div>Crazy question, I would think it would be all over the place, but I'm trying to research openssl and certs, and all the reference material necessary to get started, but I'm finding a surprising lack. Anyone got any good SSL/certificates references/material they can recommend?<span><font color="#888888"><br>
<br></font></span></div><span><font color="#888888">Mike Bean<br></font></span></div>
</div><br></div></div></div></div>
</blockquote></div><br></div>
</div></div></div></div><br></div></div></div></div>
<br>_______________________________________________<br>
clue mailing list: <a href="mailto:clue@cluedenver.org">clue@cluedenver.org</a><br>
For information, account preferences, or to unsubscribe see:<br>
<a href="http://cluedenver.org/mailman/listinfo/clue" target="_blank">http://cluedenver.org/mailman/listinfo/clue</a><br></blockquote></div><br></div>