"Richard Levitte - VMS Whacker via RT" <[EMAIL PROTECTED]> writes:

> In message <[EMAIL PROTECTED]> on Wed, 31 Mar 2004 11:23:29 +0200 (METDST), "Simon 
> Josefsson via RT" <[EMAIL PROTECTED]> said:
>
> rt> 
> rt> "Richard Levitte via RT" <[EMAIL PROTECTED]> writes:
> rt> 
> rt> > I'm honestly very unsure about this one.  After all, "openssl ca" 
> rt> > already covers this, so I wonder why there's a need to create another 
> rt> > way to do the same thing, and add to the confusion on how to do things..
> rt> > .
> rt> 
> rt> How would you use "openssl ca" to do the same?  Wouldn't it change
> rt> fields in signed certificate, or at least require that the CA key used
> rt> to sign correspond to the issuer in the certificate to be signed?  As
> rt> far as I understood, the RT thread only indicate "openssl ca" has the
> rt> same poor security as -noselfsign imply (in that it makes it possible
> rt> for the user to sign certificates without POP), not that "openssl ca"
> rt> can do the same operation.
>
> What I understood was that you wanted to be able to sign a certificate
> (I call i A from now on) using a CA that doesn't have a root
> certificate.  That is perfectly possible to do with "openssl ca",
> provided you give it that CA's certificate and key.  Of course, in
> preparation, you should create a certificate request (called reqA)
> from certificate A.
>
> And yes, of course the newly signed signed certificate (A') will have
> new and possibly changed extensions.  That's within normal CA
> operations, I believe.

I'm not sure this would work in the situation I was in originally, let
me explain:

I had created (well, modified) a X.509 certificate by hand in a hex
editor, and wanted to update the signature field using a special key.
I couldn't use the CA tool because it would alter other stuff in the
certificate that I didn't want it to do, and I couldn't use the X.509
mini-CA because it required that the certificate to be signed was self
signed, which it obviously wasn't (the signature wasn't even valid).
Fortunately it was easy to disable the self-sign test, and then I got
my customized certificate, with a correct signature for the key I had
chosen.

I admit this might not be your everyday typical usage of OpenSSL (even
though it was mine, at the time).  Anyway, perhaps this explains more
about what prompted me to send the patch in the first place.

Thanks,
Simon

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to