[openssl-users] Is there a "Golden" CA makefile?

John Lewis oflameo2 at gmail.com
Sat Apr 29 20:01:47 UTC 2017


You misunderstand. 

I don't want a list of vetted root CAs. I just want a make based wrapper
over the OpenSSl commands to make it easier to run a CA. There are a few
of them, but if there was a one that is typically recommended instead, I
would use that one.

On Sat, 2017-04-29 at 12:55 -0700, Kyle Hamilton wrote:
> The short answer is "no".
> 
> 
> The long answer is, OpenSSL is not in the business of vetting trust
> roots.  Its business is ensuring that TLS-secured communications
> happen correctly when it is used.  If you want an 'endorsed' set of
> roots, you can find such from other projects (that have no relation to
> OpenSSL, and for which OpenSSL can take no responsibility).
> 
> 
> Since I'm not a member of the OpenSSL project, I can tell you that
> there is a set of root certificates, vetted by Mozilla, available as
> part of Mozilla's NSS (Network Security Services) project.  OpenSSL
> cannot take any responsibility for that set of roots or any
> behavior/misbehavior of any of the CAs represented in that set.  I had
> also seen a script several years ago to convert Mozilla's format to
> OpenSSL format, but I have not needed to look into it and have thus
> lost the URL to that script since then.
> 
> 
> -Kyle H
> 
> 
> On Sat, Apr 29, 2017 at 10:24 AM, John Lewis <oflameo2 at gmail.com>
> wrote:
>         I am looking for a CA makefile to use with a openvpn tutorial
>         I am
>         writing https://github.com/Oflameo/openvpn_ws. Is there one
>         officially
>         endorsed by the openssl project?
>         
>         --
>         openssl-users mailing list
>         To unsubscribe:
>         https://mta.openssl.org/mailman/listinfo/openssl-users
> 
> 
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




More information about the openssl-users mailing list