[openssl-users] Is there a "Golden" CA makefile?

John Lewis oflameo2 at gmail.com
Sun Apr 30 01:04:10 UTC 2017


I fought easypki for a week trying to figure out how to actually use a
Sub CA and couldn't find one. I'm not going to teach anyone not to use a
Sub CA because that would be malpractice in my opinion. 


On Sat, 2017-04-29 at 23:53 +0100, Alan Buxey wrote:
> https://github.com/google/easypki ,
> http://pki.fedoraproject.org/wiki/PKI_Main_Page etc etc - we wrote a
> simple similar system when using OpenVPN years ago. it was (IMHO) very
> good but the powers that be decided that OpenVPN wasn't the way to go
> and so money was spent on a (inflexible and non-modifiable) closed
> source proprietary VPN solution instead :/
> 
> On 29 April 2017 at 21:01, John Lewis <oflameo2 at gmail.com> wrote:
> > You misunderstand.
> >
> > I don't want a list of vetted root CAs. I just want a make based wrapper
> > over the OpenSSl commands to make it easier to run a CA. There are a few
> > of them, but if there was a one that is typically recommended instead, I
> > would use that one.
> >
> > On Sat, 2017-04-29 at 12:55 -0700, Kyle Hamilton wrote:
> >> The short answer is "no".
> >>
> >>
> >> The long answer is, OpenSSL is not in the business of vetting trust
> >> roots.  Its business is ensuring that TLS-secured communications
> >> happen correctly when it is used.  If you want an 'endorsed' set of
> >> roots, you can find such from other projects (that have no relation to
> >> OpenSSL, and for which OpenSSL can take no responsibility).
> >>
> >>
> >> Since I'm not a member of the OpenSSL project, I can tell you that
> >> there is a set of root certificates, vetted by Mozilla, available as
> >> part of Mozilla's NSS (Network Security Services) project.  OpenSSL
> >> cannot take any responsibility for that set of roots or any
> >> behavior/misbehavior of any of the CAs represented in that set.  I had
> >> also seen a script several years ago to convert Mozilla's format to
> >> OpenSSL format, but I have not needed to look into it and have thus
> >> lost the URL to that script since then.
> >>
> >>
> >> -Kyle H
> >>
> >>
> >> On Sat, Apr 29, 2017 at 10:24 AM, John Lewis <oflameo2 at gmail.com>
> >> wrote:
> >>         I am looking for a CA makefile to use with a openvpn tutorial
> >>         I am
> >>         writing https://github.com/Oflameo/openvpn_ws. Is there one
> >>         officially
> >>         endorsed by the openssl project?
> >>
> >>         --
> >>         openssl-users mailing list
> >>         To unsubscribe:
> >>         https://mta.openssl.org/mailman/listinfo/openssl-users
> >>
> >>
> >> --
> >> openssl-users mailing list
> >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> >
> >
> > --
> > openssl-users mailing list
> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




More information about the openssl-users mailing list