Julien,
Here is my way to deal with the certificates, both server and CA.
First, define some common variables in a script that may be labelled
"env.bat":
set SSLEAY=path\to\ssleay.exe
set REQ=newreq/your_request.pem
set CERT=certs/your_cert.pem
set USEPORT=4433
set USECERT=your_cert.pem
set USECA=cacert.pem
set USEKEY=your_key.pem
Make a directory "newreq" which should contain "your_request.pem",
as well as a directory "certs" which will later contain "your_cert.pem",
if they do not exist under the root of your CA.
1. Make a CA if you haven't done so already:
call some\other\path\env.bat
%SSLEAY% req -new -x509 -config ssleay.conf -keyout private/cakey.pem -out cacert.pem
2. Make a server cert request:
call some\path\env.bat
%SSLEAY% req -new -keyout your_key.pem -out %REQ% -days 730 -config ssleay.conf
3. give the server cert request to the CA, and sign it:
call some\other\path\env.bat
%SSLEAY% ca -batch -config ssleay.conf -policy policy_anything -in %REQ% -out %CERT%
-days 730
4. Launch s_server using the new cert and key:
call some\path\env.bat
%SSLEAY% s_server -accept %USEPORT% -cert %USECERT% -key %USEKEY% -CAfile %USECA%
-state -www
Don't bother about the -days 730, your mileage may vary.
I apologize for the environment chosen; you're obviously dealing
with MS batch files, but I suppose a "port" to shell scripts would
not impede functionality in any way. ;-).
Cheers!
Ulrich
--- Julien Beasley <[EMAIL PROTECTED]> wrote:
> I apologize if this is an often asked question. I have been looking
> through the documentation, and experimenting, but I have not been able to
> do what I want to do.
>
> I have a private key that I created with
>
> /usr/local/ssl/bin/req -new -x509
>
> This key is now called privkey.pem
>
> I know want to create a new key/certificate pair
> /usr/local/ssl/bin/req -new -x509 -keyout keyb.pem > cert.pem
>
> I now have keyb.pem (the private key for keyb), and cert.pem (the public
> key for b (am I correct?)).
>
> What I now want to do is sign cert.pem with privkey.pem, so that people
> seeing cert.pem could be sure that it was trusted by privkey.pem.
>
> How can I do this?
> I tried
>
> /usr/local/ssl/bin/x509 -signkey privkey.pem <cert.pem > cert2.pem
>
> However, when I try to look at cert2 with
>
> /usr/local/ssl/bin/asn1parse < cert2.pem
>
> I see no mention of privkey... If anyone could tell me what I am doing
> wrong, I would be most appreciative. It certainly is asking me for the
> passphrase of privkey, so maybe it is signing correctly and I just don't
> know how to see it?
>
> Thank you very much for your time,
>
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
