Re: [OpenXPKI-users] Production PKI

Fri, 16 Mar 2007 02:41:58 -0800 

Salut Robert,

On Thu, Mar 15, 2007 at 05:35:07PM +0100, Robert LISIAK wrote:
> I come back to you and to the list from an absence of some days.
hope you enjoyed your holidays ...

> I already have create keys with the ‘openxpkiadm key generate’ command -
> realm I18N_OPENXPKI_DEPLOYMENT_TEST_DUMMY_CA - group default
> 
> But it seems that they are those for testdummyCA1 and testdummyCA2.
> Cakey.pem ).
openxpkiadm key generate only takes the names from the config file. But
as the keys themselves are only keys and do not store a name, you can
use them for anything you like.

> >I guess the next step would be to generate a CA key using openxpkiadm key
> >generate (see openxpkiadm man for documentation) and that create a
> >self-signed (testing) CA certificate (you need to do this youself, for
> >example using openssl, or it might have already been done by the Debian
> >package for you?). Then you can try out the certificate requests and
> >creation for starters.
> If I understood I have to
> 1) generate keys with openxpkiadm
Yes, or just use the ones that you have already created.

> 2) create a self-signed CAcert with openssl
> 
> How to sign my ( production) cacert  with ( testdummycaX ) keys and why?
Why? Because you need a root certificate :-) How: Use openssl:
$ openssl req -new -x509 -extensions v3_ca -key /path/to/your/ca/key
-out cacert.pem -days <number of days you want the CA cert to be valid>
-config config

A sample/minimal config file for your case would look like this:
---snip---
[ req ]
distinguished_name = req_distinguished_name
default_md         = sha1
prompt             = no
x509_extensions    = v3_ca

[ req_distinguished_name ]
0.organizationName     = My.ORG
organizationalUnitName = CA My.ORG
emailAddress           = [EMAIL PROTECTED]
localityName           = Paris
stateOrProvinceName    = IDF
countryName            = FR
commonName             = My.Org

[ v3_ca ]
basicConstraints        = CA:TRUE
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer:always
---snip---

HTH,
    Alex
-- 
Dipl.-Math. Alexander Klink | IT-Security Engineer
        [EMAIL PROTECTED] | working @ urn:oid:1.3.6.1.4.1.11417

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Reply via email to