[EMAIL PROTECTED] wrote:
>
> Hello,
>
> We've tried to generate a SSL certificate to use in Netscape. We plan to
> also test the chain root certificate implementation but get confused.
> Could somebody provide some basic guidelines on how to create a chain
> certificate so that CA X certify CA Y and CA Y can then certify the
> client's cert.
>
> Is it simply to use CA X to certify CA Y's root certificate, and let the
> final client's application (e.g. a browser) have all the CA's cert
> installed. That's all? No need to make any special changes in the whole
> process? (e.g. special flags on the root CA's cert)
>
> Someone, please help! (prefer also reply by e-mail)
>
This can be a bit daunting if you aren't familiar with the commands.
There are several ways to do this.
You need CA extensions or it wont work. First the root CA certificate:
openssl req -x509 -new -keyout root.pem -out root.pem -days 512
'days' is so the later certificates fall within the root CA validity
period. Now you have a root CA and its private key in the file
'root.pem'
So next make a request for the intermediate CA:
openssl req -out careq.pem -new -keyout cacert.pem
Then sign it using x509:
opensl x509 -req -in careq.pem -extfile <path to config file>
-extensions v3_ca -CA root.pem -CAcreateserial -days 500 >>cacert.pem
The -extfile and -extensions bit makes sure the subordinate CA has
extensions relevant for a CA.
Now you have the subordinate CA and its key in cacert.pem.
Where you go from here depends on what you use to sign client
certificates. If you use 'ca' then use:
CA.pl -newca
enter cacert.pem when prompted for the CA name.
If you are using the standard Netscape SPKAC for this then you need to
include the intermediate CA when you install the client certificate as
well as the end user certificate. You can do this using crl2pkcs7:
openssl crl2pkcs7 -nocrl -certfile usercert.pem -certfile cacert.pem
-outform DER -out user.der
Then send "user.der" as MIME type application/x-x509-user-cert as
normal. This will automatically add the intermediate CA.
There is an alternative method which uses 'ca' for the intermediate CA
signing as well.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
