Re: Certificate and Certificate request (Using API)
Hi friends. I want to rise one more question here, What is the difference in generated server certificate (A), If make using certificate request, or make directly (X509_REQ *csr vs X509 *cert) I have my OWN CA, its keys, I am making new certificate (A) from old certificate (B). Question just it to make certificate directly (without making request) OR make certificate request first, then make certificate from request. I want to know if there any technical difference in final certificate yield. I know how to make request, , make certificate, sign it etc.. Thanks, Saurabh On 7/30/12, Mark H. Wood mw...@iupui.edu wrote: On Fri, Jul 27, 2012 at 08:05:58AM -0700, Sanford Staab wrote: It really looks to me like the openssl documentation needs improvement as well as a better tool besides CA.pl to help people use openssl in common scenarios. I suspect there is a strong demand for creative private CA support and we should have a friendly script or cookbook for this available somewhere. Fixing this will relieve you guys of answering all these inquiries via email. TinyCA has, so far, sufficed for my modest needs. http://tinyca.sm-zone.net/ -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Certificate and Certificate request (Using API)
On Fri, Jul 27, 2012 at 08:05:58AM -0700, Sanford Staab wrote: It really looks to me like the openssl documentation needs improvement as well as a better tool besides CA.pl to help people use openssl in common scenarios. I suspect there is a strong demand for creative private CA support and we should have a friendly script or cookbook for this available somewhere. Fixing this will relieve you guys of answering all these inquiries via email. TinyCA has, so far, sufficed for my modest needs. http://tinyca.sm-zone.net/ -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgpOYxbnU7YZ2.pgp Description: PGP signature
Re: Certificate and Certificate request (Using API)
On 7/27/12, Saurabh Pandya er.saurabhpan...@gmail.com wrote: Do roughly the same thing apps/ca.c does, except you probably don't need all its options but may want some other options: Create an X509 and set all needed X509_CINF fields in that X509 to values that you either extract from the X509_REQ and approve, or choose by your own logic (serial at least). Then sign the X509. Using My self-signed CA's private key, isn't it ?? I am asking this as I have the basic question about certificate signing - I have my self-sign CA A and CA key file B - I create another RSA key pair EVP_PKEY *pkey to be used for child leaf certificates - I create a certificate X509 *x (that supposed to be child of my CA) I am setting public key by, that will set public key part of rsa key pkey, to my certificate x X509_set_pubkey(x,pkey) And I am signing certificate with my private key x509_sign(x,pkey) Then How can I make my normal server certificate x as a child of my CA certificate A, do i need to sign it with B. I am confuse which keys to set in X509_set_pubkey() and X509_sign when I want a certificate appeared to be issued by my CA. Thanks all. Saurabh __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Certificate and Certificate request (Using API)
It really looks to me like the openssl documentation needs improvement as well as a better tool besides CA.pl to help people use openssl in common scenarios. I suspect there is a strong demand for creative private CA support and we should have a friendly script or cookbook for this available somewhere. Fixing this will relieve you guys of answering all these inquiries via email. If any of the devs on openssl would like some help on writing up or coding up some docs/tools to help this process I would be happy to help where I can. I am a windows guy and have very little experience with Unix systems so that is where I would be of more help. I too am new to openssl and am trying to do these same kinds of things and have not yet been comfortable with my knowledge to embark on extensive coding. Let me know if and how I can help. Sandy -Original Message- From: Saurabh Pandya Sent: Friday, July 27, 2012 7:20 AM To: openssl-users@openssl.org Subject: Re: Certificate and Certificate request (Using API) On 7/27/12, Saurabh Pandya er.saurabhpan...@gmail.com wrote: Do roughly the same thing apps/ca.c does, except you probably don't need all its options but may want some other options: Create an X509 and set all needed X509_CINF fields in that X509 to values that you either extract from the X509_REQ and approve, or choose by your own logic (serial at least). Then sign the X509. Using My self-signed CA's private key, isn't it ?? I am asking this as I have the basic question about certificate signing - I have my self-sign CA A and CA key file B - I create another RSA key pair EVP_PKEY *pkey to be used for child leaf certificates - I create a certificate X509 *x (that supposed to be child of my CA) I am setting public key by, that will set public key part of rsa key pkey, to my certificate x X509_set_pubkey(x,pkey) And I am signing certificate with my private key x509_sign(x,pkey) Then How can I make my normal server certificate x as a child of my CA certificate A, do i need to sign it with B. I am confuse which keys to set in X509_set_pubkey() and X509_sign when I want a certificate appeared to be issued by my CA. Thanks all. Saurabh __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Certificate and Certificate request (Using API)
From: owner-openssl-us...@openssl.org On Behalf Of Saurabh Pandya Sent: Friday, 27 July, 2012 10:21 On 7/27/12, Saurabh Pandya er.saurabhpan...@gmail.com wrote: Do roughly the same thing apps/ca.c does, except you probably don't need all its options but may want some other options: Create an X509 and set all needed X509_CINF fields in that X509 to values that you either extract from the X509_REQ and approve, or choose by your own logic (serial at least). Then sign the X509. Using My self-signed CA's private key, isn't it ?? Yes. See below. I am asking this as I have the basic question about certificate signing - I have my self-sign CA A and CA key file B I assume that's CA-cert file A and CA-key file B - I create another RSA key pair EVP_PKEY *pkey to be used for child leaf certificates - I create a certificate X509 *x (that supposed to be child of my CA) I am setting public key by, that will set public key part of rsa key pkey, to my certificate x X509_set_pubkey(x,pkey) And I am signing certificate with my private key x509_sign(x,pkey) No. That makes the child self-signed, not signed by the CA. Then How can I make my normal server certificate x as a child of my CA certificate A, do i need to sign it with B. I am confuse which keys to set in X509_set_pubkey() and X509_sign when I want a certificate appeared to be issued by my CA. X509_set_pubkey to (public part of) child's key (pkey) X509_set_subject_name to name of the child X509_set_issuer_name to name of the CA, specifically X509_get_subject_name from the CA-cert in file A. X509_set_serialNumber to a unique value you choose (some CA's use actual serial numbers 1,2,3,... but most nowadays use an obscured or totally random sequence) X509_set_notBefore,notAfter as desired (usually notBefore=now notAfter=now plus some interval like 3 months, 1 year, etc.) X509_set_version depending on whether you do extensions or not X509v3_add_ext or various X509V3_ routines for extensions then X509_sign using (private part of) CA-key in file B and also save the child's privatekey for the child to use __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Certificate and Certificate request (Using API)
Bang !! Thanks Dave, I am agree with Sandy's comment about openssl API's documentation. Thanks again, Saurabh On 7/28/12, Dave Thompson dthomp...@prinpay.com wrote: From: owner-openssl-us...@openssl.org On Behalf Of Saurabh Pandya Sent: Friday, 27 July, 2012 10:21 On 7/27/12, Saurabh Pandya er.saurabhpan...@gmail.com wrote: Do roughly the same thing apps/ca.c does, except you probably don't need all its options but may want some other options: Create an X509 and set all needed X509_CINF fields in that X509 to values that you either extract from the X509_REQ and approve, or choose by your own logic (serial at least). Then sign the X509. Using My self-signed CA's private key, isn't it ?? Yes. See below. I am asking this as I have the basic question about certificate signing - I have my self-sign CA A and CA key file B I assume that's CA-cert file A and CA-key file B - I create another RSA key pair EVP_PKEY *pkey to be used for child leaf certificates - I create a certificate X509 *x (that supposed to be child of my CA) I am setting public key by, that will set public key part of rsa key pkey, to my certificate x X509_set_pubkey(x,pkey) And I am signing certificate with my private key x509_sign(x,pkey) No. That makes the child self-signed, not signed by the CA. Then How can I make my normal server certificate x as a child of my CA certificate A, do i need to sign it with B. I am confuse which keys to set in X509_set_pubkey() and X509_sign when I want a certificate appeared to be issued by my CA. X509_set_pubkey to (public part of) child's key (pkey) X509_set_subject_name to name of the child X509_set_issuer_name to name of the CA, specifically X509_get_subject_name from the CA-cert in file A. X509_set_serialNumber to a unique value you choose (some CA's use actual serial numbers 1,2,3,... but most nowadays use an obscured or totally random sequence) X509_set_notBefore,notAfter as desired (usually notBefore=now notAfter=now plus some interval like 3 months, 1 year, etc.) X509_set_version depending on whether you do extensions or not X509v3_add_ext or various X509V3_ routines for extensions then X509_sign using (private part of) CA-key in file B and also save the child's privatekey for the child to use __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Certificate and Certificate request (Using API)
Thanks all for detailed reply, demos/x509/mkcert.c approach: I understood that I dont need to create Certificate signing request (CSR) and I can directly create X509 *My_cert , and sign it with my CA certificate/key. demos/x509/mkreq.c approach: Still i dont understand that, If I go with this approach, i create X509_REQ *req, I sign this certificate request with the new private key (csr's key). THEN HOW CAN I CONVERT THIS CSR into Certificate using API? for e.g. openssl have command ca that sign CSR and outs the certificate. HOW CAN I DO THIS USING API? - Saurabh On 7/25/12, Saurabh Pandya er.saurabhpan...@gmail.com wrote: -- I have created my self signed CA (cert.pem) using following openssl commands 1) openssl req -config /etc/openssl.cnf -new -x509 -keyout private.key -out cert.pem -days 8000 -passin pass:abcd -passout pass:abcd 2) openssl ca -updatedb -config /etc/openssl.cnf -keyfile private.key -key abcd -cert cert.pem -- I want to use this CA and private key to sign other (server) certificates programmatically. I am aware about .../demo/x509/mkcert.cc and .../demo/x509.mkreq.cc sample apps -- QUESTIONS: Can I directly create X509 *cert, add stuff and sign it, straightforward (mkcert.cc). OR Need to create X509_REQ (as shown in mkreq.cc) first and then sign certificate request with CA (IS there any compulsion or advisory, that One SHOULD/MUST make certificate request before making certificate) Thanks, Saurabh __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Certificate and Certificate request (Using API)
From: owner-openssl-us...@openssl.org On Behalf Of Saurabh Pandya Sent: Thursday, 26 July, 2012 02:52 demos/x509/mkcert.c approach: I understood that I dont need to create Certificate signing request (CSR) and I can directly create X509 *My_cert , and sign it with my CA certificate/key. demos/x509/mkreq.c approach: Still i dont understand that, If I go with this approach, i create X509_REQ *req, I sign this certificate request with the new private key (csr's key). Yes. THEN HOW CAN I CONVERT THIS CSR into Certificate using API? for e.g. openssl have command ca that sign CSR and outs the certificate. It doesn't sign the CSR. No CA ever does. It *verifies* the CSR, uses the data from the CSR to construct a cert, and signs the cert. HOW CAN I DO THIS USING API? Do roughly the same thing apps/ca.c does, except you probably don't need all its options but may want some other options: Create an X509 and set all needed X509_CINF fields in that X509 to values that you either extract from the X509_REQ and approve, or choose by your own logic (serial at least). Then sign the X509. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Certificate and Certificate request (Using API)
Do roughly the same thing apps/ca.c does, except you probably don't need all its options but may want some other options: Create an X509 and set all needed X509_CINF fields in that X509 to values that you either extract from the X509_REQ and approve, or choose by your own logic (serial at least). Then sign the X509. Using My self-signed CA's private key, isn't it ?? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Certificate and Certificate request (Using API)
-- I have created my self signed CA (cert.pem) using following openssl commands 1) openssl req -config /etc/openssl.cnf -new -x509 -keyout private.key -out cert.pem -days 8000 -passin pass:abcd -passout pass:abcd 2) openssl ca -updatedb -config /etc/openssl.cnf -keyfile private.key -key abcd -cert cert.pem -- I want to use this CA and private key to sign other (server) certificates programmatically. I am aware about .../demo/x509/mkcert.cc and .../demo/x509.mkreq.cc sample apps -- QUESTIONS: Can I directly create X509 *cert, add stuff and sign it, straightforward (mkcert.cc). OR Need to create X509_REQ (as shown in mkreq.cc) first and then sign certificate request with CA (IS there any compulsion or advisory, that One SHOULD/MUST make certificate request before making certificate) Thanks, Saurabh __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Certificate and Certificate request (Using API)
Hi, You will always have to create a certificate request using your private key. This certificate request is used to sign and create respective certificate. Hope this helps. On Wed, Jul 25, 2012 at 2:14 PM, Saurabh Pandya er.saurabhpan...@gmail.comwrote: -- I have created my self signed CA (cert.pem) using following openssl commands 1) openssl req -config /etc/openssl.cnf -new -x509 -keyout private.key -out cert.pem -days 8000 -passin pass:abcd -passout pass:abcd 2) openssl ca -updatedb -config /etc/openssl.cnf -keyfile private.key -key abcd -cert cert.pem -- I want to use this CA and private key to sign other (server) certificates programmatically. I am aware about .../demo/x509/mkcert.cc and .../demo/x509.mkreq.ccsample apps -- QUESTIONS: Can I directly create X509 *cert, add stuff and sign it, straightforward (mkcert.cc). OR Need to create X509_REQ (as shown in mkreq.cc) first and then sign certificate request with CA (IS there any compulsion or advisory, that One SHOULD/MUST make certificate request before making certificate) Thanks, Saurabh __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Regards, *Sukalp Bhople.*
RE: Certificate and Certificate request (Using API)
From: owner-openssl-us...@openssl.org On Behalf Of Sukalp Bhople Sent: Wednesday, 25 July, 2012 08:45 You will always have to create a certificate request using your private key. True if you're using an external CA, but not if you're doing it yourself. openssl commandline supports both options: you can create a req and use it to issue a cert, or you can issue a self-signed cert directly. AFAICS there isn't currently a utility that can directly issue non-self-signed, but a program using openssl library, which is what the OP asked, can do that. This certificate request is used to sign and create respective certificate. Not true. Assuming there is a request, the CA uses data from it to create the certificate (body), but the CA signs the certificate with the CA key, not with the key in the request. (The key in the request, or more exactly the privatekey matching the publickey in the request, is used to sign the *request* as proof of possession, at least in PKCS#10.) On Wed, Jul 25, 2012 at 2:14 PM, Saurabh Pandya er.saurabhpan...@gmail.com wrote: -- I have created my self signed CA (cert.pem) ... -- I want to use this CA and private key to sign other (server) certificates programmatically. (IS there any compulsion or advisory, that One SHOULD/MUST make certificate request before making certificate) There is no requirement in the OpenSSL library; you can just build an X509 body (certInfo) however you choose and then sign it. But you should be sure the key you are certifying is correct; there are two basic ways: 1. Have the entity (server) generate its keypair, give you the publickey, and tell you its identity for you to put in the certificate. Optionally they might tell you other things they want in the cert, like KeyUsage. This needs to be done securely, so that Mallory can't substitute his key in Alice's request and thereby be enabled to impersonate Alice. You could design your own scheme to do these things, but PKCS#10 already does them well and is widely implemented and supported. 2. You generate the server keypair and a certificate for it, and give both the privatekey and the cert to the server to use. There are several ways to do this; PKCS#12 is the most common and is supported by OpenSSL. If you own both the CA and the server(s), this works fine. If the server(s) belong to someone else, that person or organization now depends for their security on *you* securing the key(s) you issued them. If the server(s) will be processing data that is encrypted because it has value to somebody, be sure you are ready for this responsibility. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Certificate and Certificate request (Using API)
Thanks Dave for rectifying my reply. Indeed, I was not precise in my reply. On Thu, Jul 26, 2012 at 12:06 AM, Dave Thompson dthomp...@prinpay.comwrote: From: owner-openssl-us...@openssl.org On Behalf Of Sukalp Bhople Sent: Wednesday, 25 July, 2012 08:45 You will always have to create a certificate request using your private key. True if you're using an external CA, but not if you're doing it yourself. openssl commandline supports both options: you can create a req and use it to issue a cert, or you can issue a self-signed cert directly. AFAICS there isn't currently a utility that can directly issue non-self-signed, but a program using openssl library, which is what the OP asked, can do that. This certificate request is used to sign and create respective certificate. Not true. Assuming there is a request, the CA uses data from it to create the certificate (body), but the CA signs the certificate with the CA key, not with the key in the request. (The key in the request, or more exactly the privatekey matching the publickey in the request, is used to sign the *request* as proof of possession, at least in PKCS#10.) On Wed, Jul 25, 2012 at 2:14 PM, Saurabh Pandya er.saurabhpan...@gmail.com wrote: -- I have created my self signed CA (cert.pem) ... -- I want to use this CA and private key to sign other (server) certificates programmatically. (IS there any compulsion or advisory, that One SHOULD/MUST make certificate request before making certificate) There is no requirement in the OpenSSL library; you can just build an X509 body (certInfo) however you choose and then sign it. But you should be sure the key you are certifying is correct; there are two basic ways: 1. Have the entity (server) generate its keypair, give you the publickey, and tell you its identity for you to put in the certificate. Optionally they might tell you other things they want in the cert, like KeyUsage. This needs to be done securely, so that Mallory can't substitute his key in Alice's request and thereby be enabled to impersonate Alice. You could design your own scheme to do these things, but PKCS#10 already does them well and is widely implemented and supported. 2. You generate the server keypair and a certificate for it, and give both the privatekey and the cert to the server to use. There are several ways to do this; PKCS#12 is the most common and is supported by OpenSSL. If you own both the CA and the server(s), this works fine. If the server(s) belong to someone else, that person or organization now depends for their security on *you* securing the key(s) you issued them. If the server(s) will be processing data that is encrypted because it has value to somebody, be sure you are ready for this responsibility. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Regards, *Sukalp Bhople.*