From: Ejbca s. <ejb...@pr...> - 2007-02-22 09:27:12
|
There is a standard extension called BasicContraints that is true for a CA and false for en end entity (server, user etc). When verifying a certificate chain the verifying software will not allow a certificate with BasicConstraints=false to sign another certificate. This was constructed in the standard (x.509, rfc3280) to prevent users to act as CAs, since that would not be good for the security of the system. Hope that clarifies things. Cheers, Tomas SimonB skrev: > Ah OK - so what is the difference between a cert I can use as a CA cert and a > cert I can only use as a server cert i.e. what is there on the cert that > allows its use as a CA cert (sorry to be a bit dense!) > > Thanks > > > Tomas Gustavsson-4 wrote: >> >> It really depends on the bussiness model of the CA signing you CA cert >> doesn't it :-) >> They may also charge you 1000 times more for a CA cert than for a server >> cert right? (and probably they will). >> >> Cheers, >> Tomas >> >> >> SimonB skrev: >>> Hi, thanks for the prompt reply >>> >>> Doesn't this mean that the CA who signs the intial cert will lose money >>> because now we can create our own server certs (with the intial CA as the >>> top signer so browsers will not complain) and will not have to go back >>> and >>> pay them? >>> >>> :-) >>> >>> Regards >>> >>> >>> >>> Tomas Gustavsson-4 wrote: >>>> Yes, when creating the CA in EJBCA simply select: >>>> Signed by: External CA >>>> >>>> Then a request that can be sent to the external CA is created, and you >>>> must import the received certificate before the CA becomes active. >>>> After this process it works just like any other CA in EJBCA. >>>> >>>> Cheers, >>>> Tomas >>>> ----- >>>> PrimeKey Solutions offers a commercial EJBCA-subscription, including >>>> support and new extensions for EJBCA. Please see www.primekey.se or >>>> contact in...@pr... for more information. >>>> >>>> SimonB skrev: >>>>> Hi, >>>>> >>>>> Is it possible to create a RootCA using an externally signed cert (by >>>>> for >>>>> example Entrust) and then use that CA to produce certificates for use >>>>> on >>>>> servers? >>>>> >>>>> So for example: >>>>> >>>>> Create an new RootCA with DN = 'CN=My Company,O=Organisation,C=GB' >>>>> then go through the process to get it signed by an external CA. >>>>> >>>>> Then when the response is received and imported use the now active CA >>>>> it >>>>> to >>>>> create an end user certificate with CN=myserver.domain.com for use as >>>>> an >>>>> apache cert on a server. >>>>> >>>>> Thanks in advance. >>>> ------------------------------------------------------------------------- >>>> Take Surveys. Earn Cash. Influence the Future of IT >>>> Join SourceForge.net's Techsay panel and you'll get the chance to share >>>> your >>>> opinions on IT & business topics through brief surveys-and earn cash >>>> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >>>> _______________________________________________ >>>> Ejbca-develop mailing list >>>> Ejb...@li... >>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>> >>>> >> ------------------------------------------------------------------------- >> Take Surveys. Earn Cash. Influence the Future of IT >> Join SourceForge.net's Techsay panel and you'll get the chance to share >> your >> opinions on IT & business topics through brief surveys-and earn cash >> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> >> > |