Re: gencsr question on css11506

julxu · ‎01-08-2006

I have a ssl module just installed. and tried to configure ssl termination.

followed the quick start, after generate a rsa key and associated the key into a file, I have run ssl gencsr.

the next step is to send the output to a CA. I have tried to find anything for A CA, and found that all of them need a charge.

question:

1. on gencsr command, there is a question about domain. if I give myhost.mydomain.au, then the CA will be only used by myhost, is it right? so, if I give only mydomain.au the all the hosts in my domain can use the CA, am I wrong?

2. my client will be oracle users. do I need give different oracle database/application a different CA?

3. can I create CA myself since the ssl only used inside my company, internally.

Any comments will be apprecated

Thanks in advance

Gregory Scarlett · ‎01-11-2006

Not sure about the domain name, but I think that the name you specify there must match the name that the clients use to connect.

You can create a fully self signed certificate, which is fine is all your users are internal.

Have a look at this document for details:

http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_750/sslgd/certkeys.htm#wp999000

Gilles Dufour · ‎01-15-2006

1. you can get a multiple hosts certificate. The cost is more expensive so.

You'll have to check with the CA what they offer.

2. The certificate itself has no restriction/limitation. The problem would come from the application. If the application uses the name contained in the certificate to differentiate platforms or applications or ... you can't reuse the same certificate.

3. you can create your own CA.

Simply use the 'openssl' tool to self signed your own certificate.

It's heavily documented on the web.

Regards,

Gilles.

Thanks for rathing this answer.