لطفا منتظر باشید ...
Recipe 4.8 Creating a Self-Signed SSL Certificate
4.8.1 Problem
You
want to create an SSL certificate but don't want to
use a well-known certifying authority (CA), perhaps for reasons of
cost.
4.8.2 Solution
Create a self-signed SSL certificate:For Red Hat:
$ make -f /usr/share/ssl/certs/Makefile filename.crt
For SuSE or other:
$ umask 077
$ openssl req -new -x509 -days 365 -out filename.crt -keyout privkey.pem
4.8.3 Discussion
A certificate is self-signed if its
subject
and issuer are the same. A self-signed certificate does not depend on
any higher, well-known issuing authority for validation, so it will
have to be explicitly marked as trusted by your users. For instance,
the first time you connect to such a server, client software (such as
your web browser) will ask if you would like to trust this
certificate in the future.Self-signing is convenient but runs the risk of
man-in-the-middle attacks on the
first connection, before the client trusts the certificate. A more
secure method is to pre-install this certificate on the client
machine in a separate step, and mark it as trusted.When you create the certificate, you will be prompted for various
things, particularly a Common Name. Pay special
attention to this, as when creating a certificate signing request
(CSR). [Recipe 4.7]If you need many certificates,
this method may be cumbersome, as your users will have to trust each
certificate individually. Instead, use
openssl to set up your own CA, and issue
certificates under it. [Recipe 4.9] This way, you
need only add your one CA certificate to your
client's trusted caches; any individual service
certificates you create afterward will be automatically trusted.
|
4.8.4 See Also
openssl(1).
