making and signing new certificates
Eric Meyer [EMAIL PROTECTED] wrote:--HiEric
Yes, You are right, the openssl documents are not well detailed and, in some cases, out-to-date; also sometimes, ,just like you, I feel a little confused an desperate but this makes you self learning about the library (crypto lib,in my particular case).So, I recommends you some really useful links:
http://www.columbia.edu/~ariel/ssleay/- the base library, I think
http://www2.psy.uq.edu.au/~ftp/Crypto/- some FAQ's
http://www2.psy.uq.edu.au/~ftp/Crypto/ssl.html-Programmer reference
http://www.opensslbook.com/code.html
And of course this mailing list ..
There are some recommendations and security standars to verify a CSR, to create and sign a new certificate, you must read them and select the proper according to your needs and/or to your system or organization policies.
Follows my certification process protocol:
X509 *x=NULL, *xreq=NULL, **b=NULL;X509_REQ *req=NULL, **sr=NULL;ASN1_GENERALIZEDTIME *N_after_gmt=NULL, **out_asn=NULL;BIO *in=NULL, *incer=NULL, *buf=NULL;
- Receive the CSR (in my case by socket connection) or read this froma file.
- Decode the CSR:
buf = BIO_new (BIO_s_mem());
in = BIO_new_mem_buf(mensaje, strlen(mensaje));req = PEM_read_bio_X509_REQ(in, sr, NULL, NULL);
- Retrieve and Decode the signer cert:
incer = BIO_new_mem_buf(cert, strlen((const char*)cert));x = PEM_read_bio_X509(incer, b, NULL, NULL);
- verify the CSR with the signer pubkey:
if (X509_REQ_verify (req, X509_get_pubkey(x)) != 1){//Error code
}
- Create and fillthe new cert:
xreq = X509_new();
X509_set_version(xreq,VERSION);ASN1_INTEGER_set(X509_get_serialNumber(xreq), num_serie);X509_gmtime_adj(X509_get_notBefore(xreq),0);X509_gmtime_adj(X509_get_notAfter(xreq),(long)60*60*24*DAYS);X509_set_issuer_name(xreq,"CA_subject");
X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "CN", MBSTRING_ASC, "The Common Name", -1, -1, 0);X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "OU", MBSTRING_ASC, "The OU", -1, -1, 0);X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "O", MBSTRING_ASC,"The ORG", -1, -1, 0);X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "C", MBSTRING_ASC, "The country", -1, -1, 0);
// The client public key
X509_set_pubkey(xreq, X509_REQ_get_pubkey(req));
// X509v3 Extensionsres=add_ext(xac, xreq, NID_basic_constraints, "your options");res=add_ext(xac, xreq, NID_key_usage, "your optionskey usage");res=add_ext(xac, xreq, NID_ext_key_usage, "the extend key usage");res=add_ext(xac, xreq, NID_subject_key_identifier, "Your choice");res=add_ext(xac, xreq, NID_authority_key_identifier, "your choice");res=add_ext(xac, xreq, NID_issuer_alt_name, "some stuff");res=add_ext(xac, xreq, NID_netscape_cert_type, "some stuff");res=add_ext(xac, xreq, NID_netscape_comment, "some stuff");
//signing the new certX509_sign (xreq, dec_key_ac, EVP_sha1());
// write out in some format (PEM or DER)
res = PEM_write_bio_X509(buf, xreq);
This is a wide vision of my CertSign protocol, there are some things that are not mentioned here like the CDP (CRL Distribution Point), a suitable guideline is the PKI Forum and the IETF PKI Work group.
Hope this helps
Best regards
ZainosDo You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por
$100 al mes.
making and signing new certificates
Eric Meyer [EMAIL PROTECTED] wrote:--HiEric
Yes, You are right, the openssl documents are not well detailed and, in some cases, out-to-date; also sometimes, ,just like you, I feel a little confused an desperate but this makes you self learning about the library (crypto lib,in my particular case).So, I recommends you some really useful links:
http://www.columbia.edu/~ariel/ssleay/- the base library, I think
http://www2.psy.uq.edu.au/~ftp/Crypto/- some FAQ's
http://www2.psy.uq.edu.au/~ftp/Crypto/ssl.html-Programmer reference
http://www.opensslbook.com/code.html
And of course this mailing list ..
There are some recommendations and security standars to verify a CSR, to create and sign a new certificate, you must read them and select the proper according to your needs and/or to your system or organization policies.
Follows my certification process protocol:
X509 *x=NULL, *xreq=NULL, **b=NULL;X509_REQ *req=NULL, **sr=NULL;ASN1_GENERALIZEDTIME *N_after_gmt=NULL, **out_asn=NULL;BIO *in=NULL, *incer=NULL, *buf=NULL;
- Receive the CSR (in my case by socket connection) or read this froma file.
- Decode the CSR:
buf = BIO_new (BIO_s_mem());
in = BIO_new_mem_buf(mensaje, strlen(mensaje));req = PEM_read_bio_X509_REQ(in, sr, NULL, NULL);
- Retrieve and Decode the signer cert:
incer = BIO_new_mem_buf(cert, strlen((const char*)cert));x = PEM_read_bio_X509(incer, b, NULL, NULL);
- verify the CSR with the signer pubkey:
if (X509_REQ_verify (req, X509_get_pubkey(x)) != 1){//Error code
}
- Create and fillthe new cert:
xreq = X509_new();
X509_set_version(xreq,VERSION);ASN1_INTEGER_set(X509_get_serialNumber(xreq), num_serie);X509_gmtime_adj(X509_get_notBefore(xreq),0);X509_gmtime_adj(X509_get_notAfter(xreq),(long)60*60*24*DAYS);X509_set_issuer_name(xreq,"CA_subject");
X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "CN", MBSTRING_ASC, "The Common Name", -1, -1, 0);X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "OU", MBSTRING_ASC, "The OU", -1, -1, 0);X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "O", MBSTRING_ASC,"The ORG", -1, -1, 0);X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "C", MBSTRING_ASC, "The country", -1, -1, 0);
// The client public key
X509_set_pubkey(xreq, X509_REQ_get_pubkey(req));
// X509v3 Extensionsres=add_ext(xac, xreq, NID_basic_constraints, "your options");res=add_ext(xac, xreq, NID_key_usage, "your optionskey usage");res=add_ext(xac, xreq, NID_ext_key_usage, "the extend key usage");res=add_ext(xac, xreq, NID_subject_key_identifier, "Your choice");res=add_ext(xac, xreq, NID_authority_key_identifier, "your choice");res=add_ext(xac, xreq, NID_issuer_alt_name, "some stuff");res=add_ext(xac, xreq, NID_netscape_cert_type, "some stuff");res=add_ext(xac, xreq, NID_netscape_comment, "some stuff");
//signing the new certX509_sign (xreq, dec_key_ac, EVP_sha1());
// write out in some format (PEM or DER)
res = PEM_write_bio_X509(buf, xreq);
This is a wide vision of my CertSign protocol, there are some things that are not mentioned here like the CDP (CRL Distribution Point), a suitable guideline is the PKI Forum and the IETF PKI Work group.
Hope this helps
Best regards
ZainosDo You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por
$100 al mes.
Re: making and signing new certificates
Carlos,
Thank you very much for the links. The link
http://www2.psy.uq.edu.au/~ftp/Crypto/certs.html is exactly what I was
looking for.
Thanks again
Eric
On Sep 2, 2004, at 11:36 AM, Carlos Roberto Zainos H wrote:
Eric Meyer [EMAIL PROTECTED]
wrote:--
Hi Eric
Yes, You are right, the openssl documents are not well detailed and,
in some cases, out-to-date; also sometimes, ,just like you, I feel a
little confused an desperate but this makes you self learning about
the library (crypto lib,in my particular case).
So, I recommends you some really useful links:
http://www.columbia.edu/~ariel/ssleay/ - the base library, I think
http://www2.psy.uq.edu.au/~ftp/Crypto/ - some FAQ's
http://www2.psy.uq.edu.au/~ftp/Crypto/ssl.html -Programmer reference
http://www.opensslbook.com/code.html
And of course this mailing list ..
There are some recommendations and security standars to verify a CSR,
to create and sign a new certificate, you must read them and select
the proper according to your needs and/or to your system or
organization policies.
Follows my certification process protocol:
X509 *x=NULL, *xreq=NULL, **b=NULL;
X509_REQ *req=NULL, **sr=NULL;
ASN1_GENERALIZEDTIME *N_after_gmt=NULL, **out_asn=NULL;
BIO *in=NULL, *incer=NULL, *buf=NULL;
- Receive the CSR (in my case by socket connection) or read this
from a file.
- Decode the CSR:
buf = BIO_new (BIO_s_mem());
in = BIO_new_mem_buf(mensaje, strlen(mensaje));
req = PEM_read_bio_X509_REQ(in, sr, NULL, NULL);
- Retrieve and Decode the signer cert:
incer = BIO_new_mem_buf(cert, strlen((const char*)cert));
x = PEM_read_bio_X509(incer, b, NULL, NULL);
- verify the CSR with the signer pubkey:
if (X509_REQ_verify (req, X509_get_pubkey(x)) != 1)
{
// Error code
}
- Create and fill the new cert:
xreq = X509_new();
X509_set_version(xreq,VERSION);
ASN1_INTEGER_set(X509_get_serialNumber(xreq), num_serie);
X509_gmtime_adj(X509_get_notBefore(xreq),0);
X509_gmtime_adj(X509_get_notAfter(xreq),(long)60*60*24*DAYS);
X509_set_issuer_name(xreq,CA_subject);
X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), CN,
MBSTRING_ASC, The Common Name, -1, -1, 0);
X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), OU,
MBSTRING_ASC, The OU, -1, -1, 0);
X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), O,
MBSTRING_ASC,The ORG, -1, -1, 0);
X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), C,
MBSTRING_ASC, The country, -1, -1, 0);
// The client public key
X509_set_pubkey(xreq, X509_REQ_get_pubkey(req));
// X509v3 Extensions
res=add_ext(xac, xreq, NID_basic_constraints, your options);
res=add_ext(xac, xreq, NID_key_usage, your options key usage);
res=add_ext(xac, xreq, NID_ext_key_usage, the extend key usage);
res=add_ext(xac, xreq, NID_subject_key_identifier, Your choice);
res=add_ext(xac, xreq, NID_authority_key_identifier, your choice);
res=add_ext(xac, xreq, NID_issuer_alt_name, some stuff );
res=add_ext(xac, xreq, NID_netscape_cert_type, some stuff);
res=add_ext(xac, xreq, NID_netscape_comment, some stuff);
/ / signing the new cert
X509_sign (xreq, dec_key_ac, EVP_sha1());
// write out in some format (PEM or DER)
res = PEM_write_bio_X509(buf, xreq);
This is a wide vision of my CertSign protocol, there are some things
that are not mentioned here like the CDP (CRL Distribution Point), a
suitable guideline is the PKI Forum and the IETF PKI Work group.
Hope this helps
Best regards
Zainos
Do You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por
$100 al mes.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
