Rolling your own CA
How many intermediaries do you need? Best to set the path_len to 0 so that there is only one intermediary authority.
As a CA, you will need to sign server certificates (used for web servers, any kind of server). How will you accomplish this?
Use a [ server_cert ] extension
[ server_cert ] # Extensions for server certificates (`man x509v3_config`). basicConstraints = CA:FALSE nsCertType = server nsComment = "OpenSSL Generated Server Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth
As a CA, you will need to sign client certificates (used for remote user auth). How will you accomplish this?
Use a [usr_cert] openssl extension
[ usr_cert ] # Extensions for client certificates (`man x509v3_config`). basicConstraints = CA:FALSE nsCertType = client, email nsComment = "OpenSSL Generated Client Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, emailProtection
Leave a Reply