If you want to take responsibility for signing certificates for your system, set up a private CA. To set up a private CA, you require access to a software package that provides utilities for creating and signing certificates. Several packages of this type are available.
One software package that allows you to set up a private CA is OpenSSL, http://www.openssl.org. OpenSSL is derived from SSLeay, an implementation of SSL
developed by Eric Young (<[email protected]>
). The OpenSSL package includes basic
command line utilities for generating and signing certificates. Complete documentation for the OpenSSL
command line utilities is available at http://www.openssl.org/docs.
To set up a private CA, see the instructions in Creating Your Own Certificates .
Choosing a host is an important step in setting up a private CA. The level of security associated with the CA host determines the level of trust associated with certificates signed by the CA.
If you are setting up a CA for use in the development and testing of Fuse Message Broker applications, use any host that the application developers can access. However, when you create the CA certificate and private key, do not make the CA private key available on any hosts where security-critical applications run.
If you are setting up a CA to sign certificates for applications that you are going to deploy, make the CA host as secure as possible. For example, take the following precautions to secure your CA:
Do not connect the CA to a network.
Restrict all access to the CA to a limited set of trusted users.
Use an RF-shield to protect the CA from radio-frequency surveillance.