On Thu, 16 May 2002, [ISO-8859-1] Martinez Bernardo · Maria Elena wrote: > Benoit, > > You have a Client Certificate from Verisign and you can't use it to sign a > new certificate.
Nothing could stop a programmer from using such a private key to sign other certificates. However, an application aware of Basic Constraints extension would fail to validate such a certificate, if/when tracing it from well-known Verisign root. > You need a CA certificate, which it is the type of certificate that it's > able to sign. To obtain this kind of certificate from Verisign, you have to > buy "Verisign On Site" product (I think that's the product name), and you > will become a Certification Authority. > > But better, create your own Certification Authority with Openssl. > > Regards, > Elena > > > > -----Mensaje original----- > > De: Benoit Goarin [SMTP:[EMAIL PROTECTED]] > > Enviado el: jueves 16 de mayo de 2002 16:11 > > Para: [EMAIL PROTECTED] > > Asunto: Certification chain problem > > > > Hello > > > > Here is my problem > > > > I have a Verisign signed certificate (certifiacate A) and want to create > > certificates which will be signed by it. > > I create a pair certificate (certifiacate B) private key and send the > > certificate (B) to a server > > But when it signes the certifiacate with its private key (A) and returns > > it > > to client, windows tells me that the certificate seems to be damaged > > > > Here are some lines of my code : > > > > > > First, I create the pair : > > > > int sn, rsaSize; > > RSA * rsa; > > X509_NAME * name; > > > > sn=1; // numéo de série > > rsaSize=1024; // taille de la clé > > > > // création des objets certificat et clés > > m_pX509 = X509_new(); > > m_pKey = EVP_PKEY_new(); > > > > // génération de la paire de clés RSA et assignation à la structure > > EVP_PKEY > > rsa = RSA_generate_key(rsaSize, RSA_F4, NULL, NULL); > > > > EVP_PKEY_assign_RSA(m_pKey, rsa); > > > > // on fixe la version, le numéro de série et la période de validité > > X509_set_version(m_pX509,3); > > ASN1_INTEGER_set(X509_get_serialNumber(m_pX509), sn); > > X509_gmtime_adj(X509_get_notBefore(m_pX509), 0); > > X509_gmtime_adj(X509_get_notAfter(m_pX509), (long)60*60*24*nbDays); > > > > // on assigne la clé publique au certificat > > X509_set_pubkey(m_pX509, m_pKey); > > > > // on organise les informations sur le créateur du certificat > > name = X509_get_subject_name(m_pX509); > > X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, (unsigned > > char*)"FR", > > -1, -1, 0); > > X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC, (unsigned > > char*)"La > > Deuxieme Tete (L2T)", -1, -1, 0); > > X509_NAME_add_entry_by_txt(name, "Email", MBSTRING_ASC, (unsigned > > char*)"[EMAIL PROTECTED]", -1, -1, 0); > > X509_set_issuer_name(m_pX509, name); > > > > > > Then I send the certificate to the server and do this : > > > > X509_sign(m_pX509, pKey, EVP_md5()); > > > > pKey is the private key read with > > PEM_read_PrivateKey(fp_key, &m_pKey, NULL, NULL); > > > > > > It's a nigtmare I don't know what to do > > please help me > > > > > > Benoît Goarin > > > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]