> From: owner-openssl-us...@openssl.org On Behalf Of Saurabh Pandya > Sent: Thursday, 26 July, 2012 02:52
> demos/x509/mkcert.c approach: > I understood that I dont need to create Certificate > signing request (CSR) and I can directly create > X509 *My_cert , > and sign it with my CA certificate/key. > > demos/x509/mkreq.c approach: > Still i dont understand that, If I go with this approach, i create > X509_REQ *req, > I sign this certificate request with the new private key (csr's key). Yes. > > THEN HOW CAN I CONVERT THIS CSR into Certificate using API? > for e.g. openssl have command "ca" that sign CSR and outs > the certificate. It doesn't sign the CSR. No CA ever does. It *verifies* the CSR, uses the data from the CSR to construct a cert, and signs the cert. > HOW CAN I DO THIS USING API? > Do roughly the same thing apps/ca.c does, except you probably don't need all its options but may want some other options: Create an X509 and set all needed X509_CINF fields in that X509 to values that you either extract from the X509_REQ and approve, or choose by your own logic (serial at least). Then sign the X509. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
