Dmitry Morozovsky schrieb:
>
> Now i've starring at the very special problem: when user already have
> personal cert from one of master CA, it seems to be "Right Thing" to use
> this cert for authorization instead of making another local user
> certificate. As I understand, the best way to use it -- sign existing cert
> with local CA. Am I wrong at this stage?
...
> 3. sign cert. this is problem point. trying to
> x509 -x509toreq -signkey marck.crt -in marck.crt -out new.pem
> leads to:
> Getting request Private Key
> unable to load Private Key
A request is alway signed with the private key of
the requestor which you don'T have. (Therefore the
error)
If you would like to recertify you must use the
openssl x509 utility. But before you invest more
time into this you should be warned that this
newly generated cert can't be put back into the
browsers easily (at least true for older versions)
because they complain "I already have a cert for
this key".
BTW why do you think it's wrong to issue completely
new certs for your users that already have other
certs? Don't you have more than one oficial id
document like passport, drivers licence etc.
If you want to rely on other's CA work you should
make some restrictions with SSLRequire directive.
--
Holger Reif Tel.: +49 361 74707-0
SmartRing GmbH Fax.: +49 361 7470720
Europaplatz 5 [EMAIL PROTECTED]
D-99091 Erfurt WWW.SmartRing.de
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]