Robert Olson wrote:
>
> I'd like to create client certificates requested from Netscape without
> using 'openssl ca' (I have my own mechanisms for keeping track of stuff
> that ca does).
>
> I can't seem to create a cert request that doesn't have a new
> private/public key pair. This is what I've tried so far:
>
> openssl spkac -in /tmp/req -verify -noout
> openssl spkac -in /tmp/req -pubkey -out pub -noout
> openssl req -new -key ca.key -config /tmp/req.cnf -out new
> openssl x509 -req -in new -CA ca.cert -CAkey ca.key -CAserial ca.srl -out
> new.cert
>
> req is a SPKAC file as described in the SSL cookbook; req.cnf has the same
> information in an openssl config file format. The certificated generated
> above will not load into the browser because it doesn't match the browser's
> private key (because I couldn't keep req from making a new key, and I
> shouldn't be giving it the CA key either).
>
> In the ca app, it appears to "fake" an x509 cert request with the info from
> the spkac. Is there a way to do this without using ca?
>
Currently no, though this could be done in future (along with CRL
generation). ca also doesn't change the certificate public key or verify
the request signature in this fake. Your operation above changes the
public key, hence the error.
You can't create a real certificate request without the corresponding
private key which you don't have access to.
The best you can do at present is to create the private key as well and
import the PKCS#12 file.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
