INTL 3:770/1 3:770/3
REPLYADDR bp@www.zefox.net
REPLYTO 3:770/3.0 UUCP
MSGID: a9f2ed77
REPLY: 523f76d0
PID: SoupGate-Win32 v1.05
Lawrence D'Oliveiro wrote:
> On Sat, 31 Aug 2024 00:54:42 -0000 (UTC), bp wrote:
>
>> The command to generate the self-signed certificate and key pair was
>> openssl req -new -x509 -days 365 -sha3-512 -keyout host.key -out host.crt
>> based on instructions from
>> https://docs.freebsd.org/en/books/handbook/security/ combined with some
>> private correspondence suggesting it worked correctly.
>
> I had a look at those instructions, and they don’t mention how to
> generate the actual CA cert. Having your own CA cert means you only
> have to import it once into a browser (or other SSL/TLS client), and
> it will thereafter trust all certs signed by this CA.
>
Ok, that explains a lot. I thought the host certificate _became_ a
CA certificate through the self-signing process..... So, I actually
need _two_ certificates, one for the server and one for the signing
authority, both created on the sesrver? Presumably the client (a Pi5
running RasPiOS) already has created its own?
> The procedure for being your own CA is a lot simpler in OpenSSL 3. I
> have some notes here .
Fortunately it seems OpenSSL 3 is installed. I'll try your exercise
shortly
You've cleared up vast confusion, thank you!
bob prohaska
--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
SEEN-BY: 19/38 90/1 105/81 106/201 129/305 153/757 7715 218/700 840
SEEN-BY: 220/70 226/17 30 100 227/114 229/110 111 114 200 206 300
SEEN-BY: 229/317 400 426 428 470 550 616 664 700 266/512 267/800 282/1038
SEEN-BY: 291/111 292/854 310/31 320/219 322/757 342/200 396/45 460/58
SEEN-BY: 633/280 281 412 418 420 509 2744 712/848 770/1 3 100 330
SEEN-BY: 770/340 772/210 220 230 5020/400 5075/35
PATH: 770/3 1 633/280 229/426
|
