Igmar Palsenberg wrote:
>
> Hi,
>
> I'm doing some testing with certificates.
>
> I want the following :
>
> Generate a root CA.
> Sign CSR's.
>
> SOme problems :
>
> - Even if I tell openssl to make a CA, it doesn't.
> - Certificates are always signed by the one that is requesting it. I want
> those to be signed by me.
>
> Here are the command I use :
>
> 1) Generate a 1024 bit provite key :
>
> openssl genrsa -des3 -out privkey.pem 1024
>
> Works fine.
>
> 2) Generate a CSR
>
> openssl req -new -key privkey.pem -out request.pem
>
> Works, but I wonder : Isn't a public key needed ??
>
A private key contains the public key components so thats no problem.
> 3) Generate a self-signed cert
>
> openssl x509 -req -in request.pem -out cert.pem -signkey privkey.pem
> -CAcreateserial
>
> Also works, but I think that the -signkey is the problem. I suspect that
> that is the cause that all certs are signed by the one thay gonne be
> issued to, instead of me.
>
Well initially you'll need to create a self-signed root (CA)
certificate. You can use 'x509' or you can preferably req directly:
openssl req -x509 -new -key privkey.pem -out rootCA.pem
This is the recommended way because the default openssl.cnf contains
sensible default CA extensions.
Now when you have a request you can use:
openssl x509 -req -in request.pem -out cert.pem -CA rootCA.pem -CAkey
privkey.pem -CAcreateserial
If you do this then you should really include some extensions in this
certificate by using the -extfile option to 'x509'. The easiest way to
do this is to copy the "usr_cert" section in openssl.cnf to a file (but
without the "[ usr_cert ]" bit). So the final 'x509' command looks like
this:
openssl x509 -req -in request.pem -out cert.pem -CA rootCA.pem -CAkey
privkey.pem -CAcreateserial -extfile usercert.cnf
Although you can use 'x509' like this its a bit awkward.
The 'ca' utility and its "friendly" CA.pl wrapper is a bit easier to use
in this regard. Basically you do:
CA.pl -newca
<creates a new CA>
CA.pl -newreq
<generates a request>
CA.pl -signreq
<signs the request>
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
