Respect my authority
--#--
OpenSSL comes with a Perl script, CA.pl, that you can use to 
set up an authority and then issue certificates signed by that 
authority. Simply run CA.pl with the parameter -newca. This will 
create a certificate named "cacert.pem' and a private key file 
named "cakey.pem."  cacert.pem will hold your public key. Distribute 
cacert.pem to anyone who needs to authenticate a server certified 
by you. But keep the private key file (cakey.pem) private!!! If it is 
compromised, your whole CA is compromised.<br>
<br>
You can also use CA.pl to create "certificate requests," for 
instance a request for a new server cert, say "server.pem," and 
to sign it with cacert.pem. Then, any SSL server running with 
server.pem as its cert can be authenticated by any client that 
has access to cacert.pem. <br>
<br>
But what about public servers out there on the Internet using 
server certificates issued by the big certificate authorities 
like Verisign, RSA and Thawte? In some cases you can obtain their 
public CA certs from their web sites. For instance, <a 
href="http://www.thawte.com/">Thawte</a> offers its public cert 
freely for downloading at http://www.thawte.com/serverbasic.crt. 
If you go to that URL with a standard browser, however, the 
browser will attempt to download the cert into its certificate 
database, or warn you that it already has it. To get around that 
you could use something like <a 
href="/gadgets/http/pete.java.txt">Pete</a> to download the cert into a 
file<br>
<br>
If you want copies of all the major CA certs on your hard drive so you
can play with OpenSSL, then just dump them out of a browser's database. 
Dumping from Netscape's database is easiest.
<br>