Benoit, You have a Client Certificate from Verisign and you can't use it to sign a new certificate. You need a CA certificate, which it is the type of certificate that it's able to sign. To obtain this kind of certificate from Verisign, you have to buy "Verisign On Site" product (I think that's the product name), and you will become a Certification Authority.
But better, create your own Certification Authority with Openssl. Regards, Elena > -----Mensaje original----- > De: Benoit Goarin [SMTP:[EMAIL PROTECTED]] > Enviado el: jueves 16 de mayo de 2002 16:11 > Para: [EMAIL PROTECTED] > Asunto: Certification chain problem > > Hello > > Here is my problem > > I have a Verisign signed certificate (certifiacate A) and want to create > certificates which will be signed by it. > I create a pair certificate (certifiacate B) private key and send the > certificate (B) to a server > But when it signes the certifiacate with its private key (A) and returns > it > to client, windows tells me that the certificate seems to be damaged > > Here are some lines of my code : > > > First, I create the pair : > > int sn, rsaSize; > RSA * rsa; > X509_NAME * name; > > sn=1; // numéo de série > rsaSize=1024; // taille de la clé > > // création des objets certificat et clés > m_pX509 = X509_new(); > m_pKey = EVP_PKEY_new(); > > // génération de la paire de clés RSA et assignation à la structure > EVP_PKEY > rsa = RSA_generate_key(rsaSize, RSA_F4, NULL, NULL); > > EVP_PKEY_assign_RSA(m_pKey, rsa); > > // on fixe la version, le numéro de série et la période de validité > X509_set_version(m_pX509,3); > ASN1_INTEGER_set(X509_get_serialNumber(m_pX509), sn); > X509_gmtime_adj(X509_get_notBefore(m_pX509), 0); > X509_gmtime_adj(X509_get_notAfter(m_pX509), (long)60*60*24*nbDays); > > // on assigne la clé publique au certificat > X509_set_pubkey(m_pX509, m_pKey); > > // on organise les informations sur le créateur du certificat > name = X509_get_subject_name(m_pX509); > X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, (unsigned > char*)"FR", > -1, -1, 0); > X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC, (unsigned > char*)"La > Deuxieme Tete (L2T)", -1, -1, 0); > X509_NAME_add_entry_by_txt(name, "Email", MBSTRING_ASC, (unsigned > char*)"[EMAIL PROTECTED]", -1, -1, 0); > X509_set_issuer_name(m_pX509, name); > > > Then I send the certificate to the server and do this : > > X509_sign(m_pX509, pKey, EVP_md5()); > > pKey is the private key read with > PEM_read_PrivateKey(fp_key, &m_pKey, NULL, NULL); > > > It's a nigtmare I don't know what to do > please help me > > > Benoît Goarin > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
