What about the patch below for 0.9.6d? Doc patch as well: --- x509.pod.orig Mon Jan 14 12:03:55 2002 +++ x509.pod Mon Jan 14 12:03:35 2002 @@ -43,6 +43,7 @@ [B<-CAkey filename>] [B<-CAcreateserial>] [B<-CAserial filename>] +[B<-noselfsign>] [B<-text>] [B<-C>] [B<-md2|-md5|-sha1|-mdc2>] @@ -300,7 +301,8 @@ of the CA and it is digitally signed using the CAs private key. This option is normally combined with the B<-req> option. Without the -B<-req> option the input is a certificate which must be self signed. +B<-req> option the input is a certificate which must be self signed +(unless B<-noselfsign> is specified). =item B<-CAkey filename> @@ -327,6 +329,11 @@ it will contain the serial number "02" and the certificate being signed will have the 1 as its serial number. Normally if the B<-CA> option is specified and the serial number file does not exist it is an error. + +=item B<-noselfsign> + +with this option the "mini CA" (see B<-CA>) will sign certificates +with unverified signatures. =item B<-extfile filename>
Simon Josefsson <[EMAIL PROTECTED]> writes: > This patch that allows you to override the check for a valid self-signed > certificate when signing certs using 'x509 -CA'. I find this useful for > those times when you edit certs with M-x hexl-mode. > > --- x509.c.orig Mon Jan 14 11:41:05 2002 > +++ x509.c Mon Jan 14 11:41:41 2002 > @@ -122,6 +122,7 @@ > " missing, it is assumed to be in the CA file.\n", > " -CAcreateserial - create serial number file if it does not exist\n", > " -CAserial - serial file\n", > +" -noselfsign - accept certificates that aren't self signed, for -CA.\n", > " -text - print the certificate in text form\n", > " -C - print out C code forms\n", > " -md2/-md5/-sha1/-mdc2 - digest to use\n", > @@ -137,7 +138,8 @@ > LHASH *conf, char *section); > static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD *digest, > X509 *x,X509 *xca,EVP_PKEY *pkey,char *serial, > - int create,int days, int clrext, LHASH *conf, char *section); > + int create,int days, int clrext, LHASH *conf, > + char *section, int noselfsign); > static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt); > static int reqfile=0; > > @@ -158,6 +160,7 @@ > char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL; > char *CAkeyfile=NULL,*CAserial=NULL; > char *alias=NULL; > + int noselfsign=0; > int text=0,serial=0,hash=0,subject=0,issuer=0,startdate=0,enddate=0; > int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0; > int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0; > @@ -339,6 +342,8 @@ > } > else if (strcmp(*argv,"-C") == 0) > C= ++num; > + else if (strcmp(*argv,"-noselfsign") == 0) > + noselfsign = ++num; > else if (strcmp(*argv,"-email") == 0) > email= ++num; > else if (strcmp(*argv,"-serial") == 0) > @@ -844,8 +849,8 @@ > > assert(need_rand); > if (!x509_certify(ctx,CAfile,digest,x,xca, > - CApkey, CAserial,CA_createserial,days, clrext, > - extconf, extsect)) > + CApkey, CAserial,CA_createserial,days, > + clrext, extconf, extsect, noselfsign)) > goto end; > } > else if (x509req == i) > @@ -966,7 +971,7 @@ > > static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, > X509 *x, X509 *xca, EVP_PKEY *pkey, char *serialfile, int create, > - int days, int clrext, LHASH *conf, char *section) > + int days, int clrext, LHASH *conf, char *section, int noselfsign) > { > int ret=0; > BIO *io=NULL; > @@ -1068,8 +1073,8 @@ > /* NOTE: this certificate can/should be self signed, unless it was > * a certificate request in which case it is not. */ > X509_STORE_CTX_set_cert(&xsc,x); > - if (!reqfile && !X509_verify_cert(&xsc)) > - goto end; > + if (!reqfile && !noselfsign && !X509_verify_cert(&xsc)) > + goto end; > > if (!X509_check_private_key(xca,pkey)) > { > @@ -1132,6 +1137,7 @@ > if (ok) > { > BIO_printf(bio_err,"error with certificate to be certified - should be >self signed\n"); > + BIO_printf(bio_err,"consider using -noselfsign\n"); > return 0; > } > else > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]