On Tue, 2005-02-22 at 23:42 +0000, Wil Cooley wrote: > On 2005-02-22, Craig White <[EMAIL PROTECTED]> wrote: > > > now going a bit off topic - I installed tinyca and it seems to be the > > type of thing that I could really use - of course, I need to know how to > > use it. > > > > The web site doesn't show a mailing list and I would love to see traffic > > on how people use it - is there somewhere that the usage is discussed - > > besides the openssl list? > > Not that I've found. The lack of introductory material intimidated me at > first too, but at some point I had one of those rare confluences of focus and > lucidity... (Or, maybe I did find an introductory doc and have just > forgotten.) > > Basically, think of the process you have to go to get a cert from an > established CA--generate a key and CSR. You give the CSR to the root CA > and the root CA gives you a cert back. So, you've got half of it. > > Now to play the root CA part, you've got to generate your root CA key > and certificate, which I think TinyCA does when you first start it. Then, > there's a place to import a CSR and generate a certificate from that. You put > that certificate in the appropriate place on the web server (or whereever) > and you've got it. > > Finally, you need to make the root certificate available to clients--they'll > have to import it initially, so it may not be better than self-signed certs, > depending on your usage patterns. All I've done it export the root > certificate and put it on a publicly-accessible web server, naming it > with a .crt extension, which should be configured with the right MIME > type in Apache; if not, this should do it: > > AddType application/x-x509-ca-cert .crt > > Browsers will recognize this MIME type and prompt you to import and > trust the cert. Then, any certificates signed with this certificate > will be recognized. > > Well, this has all been off the top of my head, which is ill, so try to > fill in anything that seems nonsensical. > ---- When you say 'you have to go to get a cert from an established CA' - does that mean for purposes of being my own CA, tinyCA is of little use to me?
My goal was to be my own CA - generate per user certificates and have revocation rights. I haven't had many issues with creating certs for various applications such as ldap/apache etc. I was looking for some granular control for individual users. Craig --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
