Distribute Your CA to Clients
Be sure all of your clients trust your new Certificate Authority.
Once you have created a Certificate Authority (CA) [Hack #45] , any certificates that are signed by your CA will be trusted by any program that trusts your CA. To establish this trust, you need to distribute your CA’s certificate to each program that needs to trust it. This could include email programs, IPSec installations, or web browsers.
Since SSL uses public key cryptography, there is no need to keep the certificate a secret. You can simply install it on a web server and download it to your clients over plain old HTTP. While the instructions for installing a CA cert are different for every program, this hack will show you a quick and easy way to install your CA on web browsers.
There are two possible formats that
browsers will accept for new CA
certs: pem
and der
. You can
generate a der
from your existing
pem
with a single openssl
command:
$ openssl x509 -in demoCA/cacert.pem -outform DER -out cacert.der
Also, add the following line to the
conf/mime.types
file in your Apache
installation:
application/x-x509-ca-cert der pem crt
Now restart Apache for the change to take effect. You should now be
able to place both the cacert.der
and
demoCA/cacert.pem
files anywhere on your web
server and have clients install the new cert by simply clicking on
either link.
Early versions of Netscape expected pem
format, but recent versions will accept either. Internet Explorer is just the opposite (early ...
Get Network Security Hacks now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.