Re: making and signing new certificates
Carlos, Thank you very much for the links. The link http://www2.psy.uq.edu.au/~ftp/Crypto/certs.html is exactly what I was looking for. Thanks again Eric On Sep 2, 2004, at 11:36 AM, Carlos Roberto Zainos H wrote: Eric Meyer <[EMAIL PROTECTED]> wrote:-- Hi Eric Yes, You are right, the openssl documents are not well detailed and, in some cases, out-to-date; also sometimes, ,just like you, I feel a little confused an desperate but this makes you self learning about the library (crypto lib,in my particular case). So, I recommends you some really useful links: http://www.columbia.edu/~ariel/ssleay/ <- the base library, I think http://www2.psy.uq.edu.au/~ftp/Crypto/ <- some FAQ's http://www2.psy.uq.edu.au/~ftp/Crypto/ssl.html <-Programmer reference http://www.opensslbook.com/code.html And of course this mailing list .. There are some recommendations and security standars to verify a CSR, to create and sign a new certificate, you must read them and select the proper according to your needs and/or to your system or organization policies. Follows my certification process protocol: X509 *x=NULL, *xreq=NULL, **b=NULL; X509_REQ *req=NULL, **sr=NULL; ASN1_GENERALIZEDTIME *N_after_gmt=NULL, **out_asn=NULL; BIO *in=NULL, *incer=NULL, *buf=NULL; - Receive the CSR (in my case by socket connection) or read this from a file. - Decode the CSR: buf = BIO_new (BIO_s_mem()); in = BIO_new_mem_buf(mensaje, strlen(mensaje)); req = PEM_read_bio_X509_REQ(in, sr, NULL, NULL); - Retrieve and Decode the signer cert: incer = BIO_new_mem_buf(cert, strlen((const char*)cert)); x = PEM_read_bio_X509(incer, b, NULL, NULL); - verify the CSR with the signer pubkey: if (X509_REQ_verify (req, X509_get_pubkey(x)) != 1) { // Error code } - Create and fill the new cert: xreq = X509_new(); X509_set_version(xreq,VERSION); ASN1_INTEGER_set(X509_get_serialNumber(xreq), num_serie); X509_gmtime_adj(X509_get_notBefore(xreq),0); X509_gmtime_adj(X509_get_notAfter(xreq),(long)60*60*24*DAYS); X509_set_issuer_name(xreq,"CA_subject"); X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "CN", MBSTRING_ASC, "The Common Name", -1, -1, 0); X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "OU", MBSTRING_ASC, "The OU", -1, -1, 0); X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "O", MBSTRING_ASC,"The ORG", -1, -1, 0); X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "C", MBSTRING_ASC, "The country", -1, -1, 0); // The client public key X509_set_pubkey(xreq, X509_REQ_get_pubkey(req)); // X509v3 Extensions res=add_ext(xac, xreq, NID_basic_constraints, "your options"); res=add_ext(xac, xreq, NID_key_usage, "your options key usage"); res=add_ext(xac, xreq, NID_ext_key_usage, "the extend key usage"); res=add_ext(xac, xreq, NID_subject_key_identifier, "Your choice"); res=add_ext(xac, xreq, NID_authority_key_identifier, "your choice"); res=add_ext(xac, xreq, NID_issuer_alt_name, "some stuff "); res=add_ext(xac, xreq, NID_netscape_cert_type, "some stuff"); res=add_ext(xac, xreq, NID_netscape_comment, "some stuff"); / / signing the new cert X509_sign (xreq, dec_key_ac, EVP_sha1()); // write out in some format (PEM or DER) res = PEM_write_bio_X509(buf, xreq); This is a wide vision of my CertSign protocol, there are some things that are not mentioned here like the CDP (CRL Distribution Point), a suitable guideline is the PKI Forum and the IETF PKI Work group. Hope this helps Best regards Zainos Do You Yahoo!? Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por $100 al mes. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
making and signing new certificates
Eric Meyer <[EMAIL PROTECTED]> wrote:--Hi Eric Yes, You are right, the openssl documents are not well detailed and, in some cases, out-to-date; also sometimes, ,just like you, I feel a little confused an desperate but this makes you self learning about the library (crypto lib,in my particular case).So, I recommends you some really useful links: http://www.columbia.edu/~ariel/ssleay/ <- the base library, I think http://www2.psy.uq.edu.au/~ftp/Crypto/ <- some FAQ's http://www2.psy.uq.edu.au/~ftp/Crypto/ssl.html <-Programmer reference http://www.opensslbook.com/code.html And of course this mailing list .. There are some recommendations and security standars to verify a CSR, to create and sign a new certificate, you must read them and select the proper according to your needs and/or to your system or organization policies. Follows my certification process protocol: X509 *x=NULL, *xreq=NULL, **b=NULL;X509_REQ *req=NULL, **sr=NULL;ASN1_GENERALIZEDTIME *N_after_gmt=NULL, **out_asn=NULL;BIO *in=NULL, *incer=NULL, *buf=NULL; - Receive the CSR (in my case by socket connection) or read this from a file. - Decode the CSR: buf = BIO_new (BIO_s_mem()); in = BIO_new_mem_buf(mensaje, strlen(mensaje));req = PEM_read_bio_X509_REQ(in, sr, NULL, NULL); - Retrieve and Decode the signer cert: incer = BIO_new_mem_buf(cert, strlen((const char*)cert));x = PEM_read_bio_X509(incer, b, NULL, NULL); - verify the CSR with the signer pubkey: if (X509_REQ_verify (req, X509_get_pubkey(x)) != 1) { // Error code } - Create and fill the new cert: xreq = X509_new(); X509_set_version(xreq,VERSION); ASN1_INTEGER_set(X509_get_serialNumber(xreq), num_serie); X509_gmtime_adj(X509_get_notBefore(xreq),0); X509_gmtime_adj(X509_get_notAfter(xreq),(long)60*60*24*DAYS); X509_set_issuer_name(xreq,"CA_subject"); X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "CN", MBSTRING_ASC, "The Common Name", -1, -1, 0); X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "OU", MBSTRING_ASC, "The OU", -1, -1, 0); X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "O", MBSTRING_ASC,"The ORG", -1, -1, 0); X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "C", MBSTRING_ASC, "The country", -1, -1, 0); // The client public key X509_set_pubkey(xreq, X509_REQ_get_pubkey(req)); // X509v3 Extensions res=add_ext(xac, xreq, NID_basic_constraints, "your options"); res=add_ext(xac, xreq, NID_key_usage, "your options key usage"); res=add_ext(xac, xreq, NID_ext_key_usage, "the extend key usage"); res=add_ext(xac, xreq, NID_subject_key_identifier, "Your choice"); res=add_ext(xac, xreq, NID_authority_key_identifier, "your choice"); res=add_ext(xac, xreq, NID_issuer_alt_name, "some stuff "); res=add_ext(xac, xreq, NID_netscape_cert_type, "some stuff"); res=add_ext(xac, xreq, NID_netscape_comment, "some stuff"); / / signing the new cert X509_sign (xreq, dec_key_ac, EVP_sha1()); // write out in some format (PEM or DER) res = PEM_write_bio_X509(buf, xreq); This is a wide vision of my CertSign protocol, there are some things that are not mentioned here like the CDP (CRL Distribution Point), a suitable guideline is the PKI Forum and the IETF PKI Work group. Hope this helps Best regards Zainos Do You Yahoo!? Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por $100 al mes.
making and signing new certificates
Eric Meyer <[EMAIL PROTECTED]> wrote:--Hi Eric Yes, You are right, the openssl documents are not well detailed and, in some cases, out-to-date; also sometimes, ,just like you, I feel a little confused an desperate but this makes you self learning about the library (crypto lib,in my particular case).So, I recommends you some really useful links: http://www.columbia.edu/~ariel/ssleay/ <- the base library, I think http://www2.psy.uq.edu.au/~ftp/Crypto/ <- some FAQ's http://www2.psy.uq.edu.au/~ftp/Crypto/ssl.html <-Programmer reference http://www.opensslbook.com/code.html And of course this mailing list .. There are some recommendations and security standars to verify a CSR, to create and sign a new certificate, you must read them and select the proper according to your needs and/or to your system or organization policies. Follows my certification process protocol: X509 *x=NULL, *xreq=NULL, **b=NULL;X509_REQ *req=NULL, **sr=NULL;ASN1_GENERALIZEDTIME *N_after_gmt=NULL, **out_asn=NULL;BIO *in=NULL, *incer=NULL, *buf=NULL; - Receive the CSR (in my case by socket connection) or read this from a file. - Decode the CSR: buf = BIO_new (BIO_s_mem()); in = BIO_new_mem_buf(mensaje, strlen(mensaje));req = PEM_read_bio_X509_REQ(in, sr, NULL, NULL); - Retrieve and Decode the signer cert: incer = BIO_new_mem_buf(cert, strlen((const char*)cert));x = PEM_read_bio_X509(incer, b, NULL, NULL); - verify the CSR with the signer pubkey: if (X509_REQ_verify (req, X509_get_pubkey(x)) != 1) { // Error code } - Create and fill the new cert: xreq = X509_new(); X509_set_version(xreq,VERSION); ASN1_INTEGER_set(X509_get_serialNumber(xreq), num_serie); X509_gmtime_adj(X509_get_notBefore(xreq),0); X509_gmtime_adj(X509_get_notAfter(xreq),(long)60*60*24*DAYS); X509_set_issuer_name(xreq,"CA_subject"); X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "CN", MBSTRING_ASC, "The Common Name", -1, -1, 0); X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "OU", MBSTRING_ASC, "The OU", -1, -1, 0); X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "O", MBSTRING_ASC,"The ORG", -1, -1, 0); X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "C", MBSTRING_ASC, "The country", -1, -1, 0); // The client public key X509_set_pubkey(xreq, X509_REQ_get_pubkey(req)); // X509v3 Extensions res=add_ext(xac, xreq, NID_basic_constraints, "your options"); res=add_ext(xac, xreq, NID_key_usage, "your options key usage"); res=add_ext(xac, xreq, NID_ext_key_usage, "the extend key usage"); res=add_ext(xac, xreq, NID_subject_key_identifier, "Your choice"); res=add_ext(xac, xreq, NID_authority_key_identifier, "your choice"); res=add_ext(xac, xreq, NID_issuer_alt_name, "some stuff "); res=add_ext(xac, xreq, NID_netscape_cert_type, "some stuff"); res=add_ext(xac, xreq, NID_netscape_comment, "some stuff"); / / signing the new cert X509_sign (xreq, dec_key_ac, EVP_sha1()); // write out in some format (PEM or DER) res = PEM_write_bio_X509(buf, xreq); This is a wide vision of my CertSign protocol, there are some things that are not mentioned here like the CDP (CRL Distribution Point), a suitable guideline is the PKI Forum and the IETF PKI Work group. Hope this helps Best regards Zainos Do You Yahoo!? Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por $100 al mes.