I fought easypki for a week trying to figure out how to actually use a Sub CA and couldn't find one. I'm not going to teach anyone not to use a Sub CA because that would be malpractice in my opinion. On Sat, 2017-04-29 at 23:53 +0100, Alan Buxey wrote: > https://github.com/google/easypki , > http://pki.fedoraproject.org/wiki/PKI_Main_Page etc etc - we wrote a > simple similar system when using OpenVPN years ago. it was (IMHO) very > good but the powers that be decided that OpenVPN wasn't the way to go > and so money was spent on a (inflexible and non-modifiable) closed > source proprietary VPN solution instead :/ > > On 29 April 2017 at 21:01, John Lewis <oflameo2@xxxxxxxxx> wrote: > > You misunderstand. > > > > I don't want a list of vetted root CAs. I just want a make based wrapper > > over the OpenSSl commands to make it easier to run a CA. There are a few > > of them, but if there was a one that is typically recommended instead, I > > would use that one. > > > > On Sat, 2017-04-29 at 12:55 -0700, Kyle Hamilton wrote: > >> The short answer is "no". > >> > >> > >> The long answer is, OpenSSL is not in the business of vetting trust > >> roots. Its business is ensuring that TLS-secured communications > >> happen correctly when it is used. If you want an 'endorsed' set of > >> roots, you can find such from other projects (that have no relation to > >> OpenSSL, and for which OpenSSL can take no responsibility). > >> > >> > >> Since I'm not a member of the OpenSSL project, I can tell you that > >> there is a set of root certificates, vetted by Mozilla, available as > >> part of Mozilla's NSS (Network Security Services) project. OpenSSL > >> cannot take any responsibility for that set of roots or any > >> behavior/misbehavior of any of the CAs represented in that set. I had > >> also seen a script several years ago to convert Mozilla's format to > >> OpenSSL format, but I have not needed to look into it and have thus > >> lost the URL to that script since then. > >> > >> > >> -Kyle H > >> > >> > >> On Sat, Apr 29, 2017 at 10:24 AM, John Lewis <oflameo2@xxxxxxxxx> > >> wrote: > >> I am looking for a CA makefile to use with a openvpn tutorial > >> I am > >> writing https://github.com/Oflameo/openvpn_ws. Is there one > >> officially > >> endorsed by the openssl project? > >> > >> -- > >> openssl-users mailing list > >> To unsubscribe: > >> https://mta.openssl.org/mailman/listinfo/openssl-users > >> > >> > >> -- > >> openssl-users mailing list > >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > > > > > -- > > openssl-users mailing list > > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
