"Christopher L. Everett" <[EMAIL PROTECTED]> writes: > Hello again: > > I read the OSPKI book, which pointed me at the sign.sh > script which helped quite a bit. I'm wondering if anyone can > help me with a few specifics. > > So far, how I understand a certificate request gets signed > is: > > 1) put the CSR into a file. > > 2) generate a configuration file that specifies: > > a) CA information, including which certificate > b) the subject DN > c) the certificate version (SSL v2, v3) You must mean X.509 and X.509v3. SSL versions aren't in certificates.
> d) any certificate extensions (I'm still hazy on how to > specify certificate extensions; also if I need to > specify any for a cert that's coing to be a browser > client cert, and if so which ones) > e) any other information that's required (can someone fill > me in on any other essential information for tha config > file?) > > 3) sign the request, a perlish way is > > my $cert = `\usr\local\bin\openssl ca -in cert.pem`; > > 4) do whatever post processing (store it in a DB, etc) needs > to be done > > 5) send it back to the user. > > One more question: can Netscape SPKAC files be converted into > other formats? No. The signature makes this impossible. However, it's not necessary since OpenSSL can be told to process SPKAC messages. -Ekr ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
