Eric Bolinger wrote:
>
> Patrick,
>
> I tried using your examples, but it generated three self-signed
> certificates.
> So I read the man page:
> http://www.openssl.org/docs/apps/x509.html#SIGNING_OPTIONS
> It looks like the "-signkey file" option is used only for the root CA.
>
> Try this to sign the other CAs using the "-CA" and "-CAkey" options:
>
> # intermediate CA signed by the root CA
> % openssl genrsa -des3 -rand /export/home/pli/.cshrc -out ca2.key 1024
> % openssl req -new -key /export/home/pli/cert/ca2.key -out ca2.csr
> % openssl x509 -req -in ca2.csr -CA ca1.crt -CAkey ca1.key -out ca2.crt
>
> # server certificate signed by the intermediate CA
> % openssl genrsa -des3 -rand /export/home/pli/.cshrc -out ca3.key 1024
> % openssl req -new -key /export/home/pli/cert/ca3.key -out ca3.csr
> % openssl x509 -req -in ca3.csr -CA ca2.crt -CAkey ca2.key -out ca3.crt
>
That doesn't quite work because the intermediate CA wont have the
correct extensions. If you're using the 'x509' utility to sign
certificate requests then the options:
-extfile /some/path/to/openssl.cnf -extensions some_section
should be used. Where 'some_section' is v3_ca to sign a CA certificate
and usr_cert otherwise.
The CA.pl perl wrapper makes all this much easier (see manual page) it
also has a -signCA option to sign an intermediate CA.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
