"Richard Levitte - VMS Whacker via RT" <[EMAIL PROTECTED]> writes:
> In message <[EMAIL PROTECTED]> on Wed, 31 Mar 2004 11:23:29 +0200 (METDST), "Simon > Josefsson via RT" <[EMAIL PROTECTED]> said: > > rt> > rt> "Richard Levitte via RT" <[EMAIL PROTECTED]> writes: > rt> > rt> > I'm honestly very unsure about this one. After all, "openssl ca" > rt> > already covers this, so I wonder why there's a need to create another > rt> > way to do the same thing, and add to the confusion on how to do things.. > rt> > . > rt> > rt> How would you use "openssl ca" to do the same? Wouldn't it change > rt> fields in signed certificate, or at least require that the CA key used > rt> to sign correspond to the issuer in the certificate to be signed? As > rt> far as I understood, the RT thread only indicate "openssl ca" has the > rt> same poor security as -noselfsign imply (in that it makes it possible > rt> for the user to sign certificates without POP), not that "openssl ca" > rt> can do the same operation. > > What I understood was that you wanted to be able to sign a certificate > (I call i A from now on) using a CA that doesn't have a root > certificate. That is perfectly possible to do with "openssl ca", > provided you give it that CA's certificate and key. Of course, in > preparation, you should create a certificate request (called reqA) > from certificate A. > > And yes, of course the newly signed signed certificate (A') will have > new and possibly changed extensions. That's within normal CA > operations, I believe. I'm not sure this would work in the situation I was in originally, let me explain: I had created (well, modified) a X.509 certificate by hand in a hex editor, and wanted to update the signature field using a special key. I couldn't use the CA tool because it would alter other stuff in the certificate that I didn't want it to do, and I couldn't use the X.509 mini-CA because it required that the certificate to be signed was self signed, which it obviously wasn't (the signature wasn't even valid). Fortunately it was easy to disable the self-sign test, and then I got my customized certificate, with a correct signature for the key I had chosen. I admit this might not be your everyday typical usage of OpenSSL (even though it was mine, at the time). Anyway, perhaps this explains more about what prompted me to send the patch in the first place. Thanks, Simon ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
