Hey there:
I think you can simplify the process (see inline) :
On Monday 27 November 2006 21:15, Chong Peng wrote:
> guys:
>
> i ahve a question regarding how to implement /use a private ca with
> openssl. the follow is what i have done:
>
> 1. generate ca private key and ca certificate
> $ openssl genrsa -out cakey.pem 1024
> $ openssl req -new -key cakey.pem -out cacert_req.pem
> $ openssl x509 -req -days 300 -in cacert_req.pem -signkey cakey.pem -out
> cacert.pem
>
Could become:
openssl -req -new -x509 -keyout cakey.pem -newkey rsa:1024 \
-out cacert.pem -days 300
and then:
> my intention here is to get the ca private key (cakey.pem) and ca
> certificate (cacert.pem). i am assuming ca certificate is self signed
>
> 2. generate ssl private ket and sign its corresponding public key with ca's
> private key $ openssl genrsa -out ssl_key.pem 1024
> $ openssl req -new -key ssl_key.pem -out sslcert_req.pem
> $ openssl x509 -req -days 200 -in sslcert_req.pem -signkey cakey.pem -out
> ssl_cert.pem
>
becomes:
# Generate the key and request.
openssl req -new -keyout ssl_key.pem -newkey rsa:1024 -out ssl_req.pem
# Sign the keys...
openssl ca -config openssl.cnf -keyfile cakey.pem -in ssl_req \
-out ssl_cert.pem -days 200
Just make sure that your openssl.cnf is properly configured (you'll want to
make sure that you have the extensions set such that your server will accept
them).
The CA.pl script that comes with OpenSSL actually does most of this for you,
as long as you configure your openssl.cnf file properly.
Have fun!
--
Patrick Patterson
President and Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
