I'd like to create client certificates requested from Netscape without
using 'openssl ca' (I have my own mechanisms for keeping track of stuff
that ca does).
I can't seem to create a cert request that doesn't have a new
private/public key pair. This is what I've tried so far:
openssl spkac -in /tmp/req -verify -noout
openssl spkac -in /tmp/req -pubkey -out pub -noout
openssl req -new -key ca.key -config /tmp/req.cnf -out new
openssl x509 -req -in new -CA ca.cert -CAkey ca.key -CAserial ca.srl -out
new.cert
req is a SPKAC file as described in the SSL cookbook; req.cnf has the same
information in an openssl config file format. The certificated generated
above will not load into the browser because it doesn't match the browser's
private key (because I couldn't keep req from making a new key, and I
shouldn't be giving it the CA key either).
In the ca app, it appears to "fake" an x509 cert request with the info from
the spkac. Is there a way to do this without using ca?
thanks,
--bob
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]