"Countersigning" a CA with openssl

Posted by Tom O'Connor on Server Fault See other posts from Server Fault or by Tom O'Connor
Published on 2012-03-28T12:03:51Z Indexed on 2012/03/29 5:31 UTC
Read the original article Hit count: 231

I'm pretty used to creating the PKI used for x509 authentication for whatever reason, SSL Client Verification being the main reason for doing it. I've just started to dabble with OpenVPN (Which I suppose is doing the same things as Apache would do with the Certificate Authority (CA) certificate)

We've got a whole bunch of subdomains, and applicances which currently all present their own self-signed certificates. We're tired of having to accept exceptions in Chrome, and we think it must look pretty rough for our clients having our address bar come up red.

For that, I'm comfortable to buy a SSL Wildcard CN=*.mycompany.com. That's no problem.

What I don't seem to be able to find out is:

  1. Can we have our Internal CA root signed as a child of our wildcard certificate, so that installing that cert into guest devices/browsers/whatever doesn't present anything about an untrusted root?
  2. Also, on a bit of a side point, why does the addition of a wildcard double the cost of certificate purchase?

© Server Fault or respective owner

Related posts about ssl-certificate

Related posts about openssl