Thanks a lot RAM & MICHEL for giving your precious time to answer my query.
Best Regards, Rout ramaswamy.bm wrote: > > Try this...if you need some extensions you can add those in openssl.cnf. > > > export OPENSSL_CONF=./openssl.cnf > PATH=.:$PATH > > # Root Certificate > openssl genrsa -out ROOT.key 2048 > openssl req -new -x509 -key ROOT.key -sha1 -out ROOT.cert.pem -extensions > root_cert -days 7400 > openssl asn1parse -in ROOT.cert.pem -out ROOT.cer -noout > > > > openssl genrsa -out endcert_key.key 2048 > > #openssl req -new -key endcert_key -sha1 -out end_cert.cert.pem.unsigned > -days 10000 > openssl req -new -key endcert_key.key -out end_cert.cert.pem.unsigned > -days > 7400 > > cp ROOT.cert.pem demoCA/cacert.pem > cat /dev/null > demoCA/index.txt > openssl ca -in end_cert.cert.pem.unsigned -keyfile ROOT.key -extensions > end_cert -out end_cert.cert.pem -notext > > > > You can add these lines in openssl.cnf > > [ CA_default ] > > dir = ./demoCA # Where everything is kept > certs = $dir/certs # Where the issued certs are kept > crl_dir = $dir/crl # Where the issued crl are kept > database = $dir/index.txt # database index file. > new_certs_dir = $dir/newcerts # default place for new certs. > > certificate = $dir/cacert.pem # The CA certificate > serial = $dir/serial # The current serial number > crl = $dir/crl.pem # The current CRL > private_key = $dir/private/cakey.pem# The private key > RANDFILE = $dir/private/.rand # private random number file > > x509_extensions = usr_cert # The extentions to add to the cert > > # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 > CRLs > # so this is commented out by default to leave a V1 CRL. > # crl_extensions = crl_ext > > default_days = 7400 # how long to certify for > default_crl_days= 30 # how long before next CRL > # Changed by Bhupendra > #default_md = md5 # which md to use. > default_md = sha1 # which md to use. > preserve = no # keep passed DN ordering > > # A few difference way of specifying how similar the request should look > # For type CA, the listed attributes must be the same, and the optional > # and supplied fields are just that :-) > policy = policy_match > > # For the CA policy > [ policy_match ] > countryName = optional > organizationName = optional > organizationalUnitName = optional > commonName = optional > #countryName = match > > [root_cert] > > keyUsage=critical, keyCertSign, cRLSign > subjectKeyIdentifier=hash > basicConstraints= critical, DER:30:06:01:01:ff:02:01:01 > > [end_cert] > keyUsage=critical, keyCertSign, cRLSign > subjectKeyIdentifier=hash > #authorityKeyIdentifier=keyid:always,issuer:always > authorityKeyIdentifier=keyid:always > #basicConstraints= critical, CA:TRUE, pathLenConstraint:0 > basicConstraints= critical, DER:30:06:01:01:ff:02:01:00 > > > > Regards > Ram > > -----Original Message----- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Mr.Rout > Sent: Thursday, November 03, 2011 10:28 AM > To: openssl-users@openssl.org > Subject: RE: Help in Generating Chained ROOT Certificate > > > Thanks Dave. > > Probably i have not understood the things properly. > > After surfing through Google i got confused. > > Actually I am doing TLS Client Testing which authenticate the > Server(www.https.com in my example). > > Steps I followed to achieve this: > 1) Created a Self signed Certificate where Issuer & Subject are having > Same > CN i.e. www.https.com > 2) Then i import Server.pem file on TLS Client and same at Server also. > > Here are the Openssl Commands to generate Self-Signed-Certificate. > openssl genrsa -des3 -out server.key 1024 > openssl req -new -key server.key -out server.csr > openssl x509 -req -days 365 -in server.csr -signkey server.key -out > server.crt > > Question here is : Can we create "Certficate Hirearchy" ? > > Like ROOT( Issuer=X & Subect=X) --- > SubCA(Issuer=X & Subect=Y) > > Please help me in generating this hierarchies . > > Thanks in advance . > > -Best Regards, > Rout > > > > > Dave Thompson-5 wrote: >> >>> From: owner-openssl-us...@openssl.org On Behalf Of Mr.Rout >>> Sent: Monday, 31 October, 2011 13:43 >> >>> I am newbie to Openssl. I am confused about Chained ROOT >>> certificates? >>> Could someone please guide me the step by step approach for generating >>> Chained ROOT certificate? >>> >>> e.g. My Server name is "www.https.com ( I successfully >>> generated Self-signed >>> SSL certificate where i put CN=www.https.com ) >>> >>> But wondering how would i able to generate ROOT certificate ? >>> >>> Awaiting for a nice reply with lucid explanation. >>> >> You'll have to ask a lucid question first. >> >> Root certificates aren't chained; if they were they wouldn't be roots. >> A self-signed certificate is its own root; it never chains to anything. >> >> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> >> > > -- > View this message in context: > http://old.nabble.com/Help-in-Generating-Chained-ROOT-Certificate-tp32753985 > p32770603.html > Sent from the OpenSSL - User mailing list archive at Nabble.com. > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > -- View this message in context: http://old.nabble.com/Help-in-Generating-Chained-ROOT-Certificate-tp32753985p32780667.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
