Basic FAQs and HOWTOs

Craig White craigwhite at azapple.com
Thu Feb 24 01:43:28 EST 2005 

On Tue, 2005-02-22 at 23:42 +0000, Wil Cooley wrote:
> On 2005-02-22, Craig White <craigwhite at azapple.com> wrote:
> 
> > now going a bit off topic - I installed tinyca and it seems to be the
> > type of thing that I could really use - of course, I need to know how to
> > use it.
> >
> > The web site doesn't show a mailing list and I would love to see traffic
> > on how people use it - is there somewhere that the usage is discussed -
> > besides the openssl list?
> 
> Not that I've found.  The lack of introductory material intimidated me at
> first too, but at some point I had one of those rare confluences of focus and
> lucidity... (Or, maybe I did find an introductory doc and have just forgotten.)
> 
> Basically, think of the process you have to go to get a cert from an
> established CA--generate a key and CSR.  You give the CSR to the root CA
> and the root CA gives you a cert back.  So, you've got half of it.
> 
> Now to play the root CA part, you've got to generate your root CA key
> and certificate, which I think TinyCA does when you first start it.  Then,
> there's a place to import a CSR and generate a certificate from that.  You put
> that certificate in the appropriate place on the web server (or whereever)
> and you've got it.
> 
> Finally, you need to make the root certificate available to clients--they'll
> have to import it initially, so it may not be better than self-signed certs,
> depending on your usage patterns.  All I've done it export the root
> certificate and put it on a publicly-accessible web server, naming it
> with a .crt extension, which should be configured with the right MIME
> type in Apache; if not, this should do it:
> 
> AddType application/x-x509-ca-cert .crt
> 
> Browsers will recognize this MIME type and prompt you to import and
> trust the cert.  Then, any certificates signed with this certificate
> will be recognized.
> 
> Well, this has all been off the top of my head, which is ill, so try to
> fill in anything that seems nonsensical.
> 
----
When you say 'you have to go to get a cert from an established CA' -
does that mean for purposes of being my own CA, tinyCA is of little use
to me?

My goal was to be my own CA - generate per user certificates and have
revocation rights. I haven't had many issues with creating certs for
various applications such as ldap/apache etc. I was looking for some
granular control for individual users.

Craig

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list