From owner-freebsd-hackers Mon Jan 14 6:31: 8 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 3B12737B404 for ; Mon, 14 Jan 2002 06:31:03 -0800 (PST) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 16Q8Am-000NpU-00; Mon, 14 Jan 2002 16:33:16 +0200 From: Sheldon Hearn To: Terry Lambert Cc: freebsd-hackers@FreeBSD.org Subject: Re: [OT] OpenSSL, certification chains and Exim In-reply-to: Your message of "Fri, 11 Jan 2002 11:18:43 PST." <3C3F3A93.C1ECF9B0@mindspring.com> Date: Mon, 14 Jan 2002 16:33:16 +0200 Message-ID: <91603.1011018796@axl.seasidesoftware.co.za> Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, 11 Jan 2002 11:18:43 PST, Terry Lambert wrote: > So my advise is: > > A) Self-sign a signing certficate > B) Install it as authoritative in the software > C) Sign a leaf certificate (a *non-signing* certificate) > with the signing certificate, and use that one in your > server software Thanks, Terry. This was enormously helpful, just in terms of providing a framework within which to structure further google searches. I've managed to find some web pages describing exactly how to do what you've suggested above. [Google: openssl leaf certificate] > RFC 1423 is a good starting point, and there are a lot of nice > books on the subject, but I don't think any of them are less > than ~300 pages. Just out of curiosity, what does RFC 1423 call what you refer to as "leaf certificates"? Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message