[openssl-users] Is there a "Golden" CA makefile?

Alan Buxey alan.buxey at gmail.com
Sat Apr 29 22:53:41 UTC 2017


https://github.com/google/easypki ,
http://pki.fedoraproject.org/wiki/PKI_Main_Page etc etc - we wrote a
simple similar system when using OpenVPN years ago. it was (IMHO) very
good but the powers that be decided that OpenVPN wasn't the way to go
and so money was spent on a (inflexible and non-modifiable) closed
source proprietary VPN solution instead :/

On 29 April 2017 at 21:01, John Lewis <oflameo2 at gmail.com> wrote:
> You misunderstand.
>
> I don't want a list of vetted root CAs. I just want a make based wrapper
> over the OpenSSl commands to make it easier to run a CA. There are a few
> of them, but if there was a one that is typically recommended instead, I
> would use that one.
>
> On Sat, 2017-04-29 at 12:55 -0700, Kyle Hamilton wrote:
>> The short answer is "no".
>>
>>
>> The long answer is, OpenSSL is not in the business of vetting trust
>> roots.  Its business is ensuring that TLS-secured communications
>> happen correctly when it is used.  If you want an 'endorsed' set of
>> roots, you can find such from other projects (that have no relation to
>> OpenSSL, and for which OpenSSL can take no responsibility).
>>
>>
>> Since I'm not a member of the OpenSSL project, I can tell you that
>> there is a set of root certificates, vetted by Mozilla, available as
>> part of Mozilla's NSS (Network Security Services) project.  OpenSSL
>> cannot take any responsibility for that set of roots or any
>> behavior/misbehavior of any of the CAs represented in that set.  I had
>> also seen a script several years ago to convert Mozilla's format to
>> OpenSSL format, but I have not needed to look into it and have thus
>> lost the URL to that script since then.
>>
>>
>> -Kyle H
>>
>>
>> On Sat, Apr 29, 2017 at 10:24 AM, John Lewis <oflameo2 at gmail.com>
>> wrote:
>>         I am looking for a CA makefile to use with a openvpn tutorial
>>         I am
>>         writing https://github.com/Oflameo/openvpn_ws. Is there one
>>         officially
>>         endorsed by the openssl project?
>>
>>         --
>>         openssl-users mailing list
>>         To unsubscribe:
>>         https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


More information about the openssl-users mailing list