RE: Certification chain problem

KUMAR,PANKAJ (HP-Cupertino,ex1) Thu, 16 May 2002 08:32:22 -0700

Hi,

You must have a CA certificate to be able to sign other certificates. Did
you get a CA certificate from VeriSign?


You do this in openssl by specifying v3_ca extensions ( as per the demoCA
openssl.cnf file ).

/Pankaj.

-----Original Message-----
From: Benoit Goarin
To: [EMAIL PROTECTED]
Sent: 5/16/02 7:11 AM
Subject: Certification chain problem

Hello

Here is my problem

I have a Verisign signed certificate (certifiacate A) and want to create

certificates which will be signed by it.
I create a pair certificate (certifiacate B) private key and send the 
certificate (B) to a server
But when it signes the certifiacate with its private key (A) and returns
it 
to client, windows tells me that the certificate seems to be damaged

Here are some lines of my code :


First, I create the pair :

        int sn, rsaSize;
        RSA * rsa;
        X509_NAME * name;

        sn=1; // numéo de série
        rsaSize=1024; // taille de la clé

        // création des objets certificat et clés
        m_pX509 = X509_new();
        m_pKey = EVP_PKEY_new();

        // génération de la paire de clés RSA et assignation à la
structure EVP_PKEY
        rsa = RSA_generate_key(rsaSize, RSA_F4, NULL, NULL);

        EVP_PKEY_assign_RSA(m_pKey, rsa);

        // on fixe la version, le numéro de série et la période de
validité
        X509_set_version(m_pX509,3);
        ASN1_INTEGER_set(X509_get_serialNumber(m_pX509), sn);
        X509_gmtime_adj(X509_get_notBefore(m_pX509), 0);
        X509_gmtime_adj(X509_get_notAfter(m_pX509),
(long)60*60*24*nbDays);

        // on assigne la clé publique au certificat
        X509_set_pubkey(m_pX509, m_pKey);

        // on organise les informations sur le créateur du certificat
        name = X509_get_subject_name(m_pX509);
        X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, (unsigned
char*)"FR", 
-1, -1, 0);
        X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC, (unsigned
char*)"La 
Deuxieme Tete (L2T)", -1, -1, 0);
        X509_NAME_add_entry_by_txt(name, "Email", MBSTRING_ASC,
(unsigned 
char*)"[EMAIL PROTECTED]", -1, -1, 0);
        X509_set_issuer_name(m_pX509, name);


Then I send the certificate to the server and do this :

        X509_sign(m_pX509, pKey, EVP_md5());

pKey is the private key read with
        PEM_read_PrivateKey(fp_key, &m_pKey, NULL, NULL);


It's a nigtmare I don't know what to do
please help me


Benoît Goarin

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

RE: Certification chain problem

Reply via email to