>From: owner-openssl-us...@openssl.org On Behalf Of Sukalp Bhople >Sent: Wednesday, 25 July, 2012 08:45
>You will always have to create a certificate request using your private key. True if you're using an external CA, but not if you're doing it yourself. openssl commandline supports both options: you can create a req and use it to issue a cert, or you can issue a self-signed cert directly. AFAICS there isn't currently a utility that can directly issue non-self-signed, but a program using openssl library, which is what the OP asked, can do that. >This certificate request is used to sign and create respective certificate. Not true. Assuming there is a request, the CA uses data from it to create the certificate (body), but the CA signs the certificate with the CA key, not with the key in the request. (The key in the request, or more exactly the privatekey matching the publickey in the request, is used to sign the *request* as proof of possession, at least in PKCS#10.) >On Wed, Jul 25, 2012 at 2:14 PM, Saurabh Pandya <er.saurabhpan...@gmail.com> wrote: > --> I have created my self signed CA (cert.pem) ... > --> I want to use this CA and private key to sign other (server) > certificates programmatically. > (IS there any compulsion or advisory, that One SHOULD/MUST make > certificate request before making certificate) There is no requirement in the OpenSSL library; you can just build an X509 body (certInfo) however you choose and then sign it. But you should be sure the key you are certifying is correct; there are two basic ways: 1. Have the entity (server) generate its keypair, give you the publickey, and tell you its identity for you to put in the certificate. Optionally they might tell you other things they want in the cert, like KeyUsage. This needs to be done securely, so that Mallory can't substitute his key in Alice's request and thereby be enabled to impersonate Alice. You could design your own scheme to do these things, but PKCS#10 already does them well and is widely implemented and supported. 2. You generate the server keypair and a certificate for it, and give both the privatekey and the cert to the server to use. There are several ways to do this; PKCS#12 is the most common and is supported by OpenSSL. If you own both the CA and the server(s), this works fine. If the server(s) belong to someone else, that person or organization now depends for their security on *you* securing the key(s) you issued them. If the server(s) will be processing data that is encrypted because it has value to somebody, be sure you are ready for this responsibility. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
