On Fri, Dec 29, 2006, Aaron Barnes wrote: > Wonderful! > I redid the root CA setup using ca.pl, modified the openssl.cnf file to > CA:TRUE in the v3_ca section, and signed the subordinate request using > the previous command: > (ca -config /path/openssl.cnf -out thecertificate.pem -in > requestfile.req -extensions v3_ca). I imported the the pem file for the > subordinate, and also the root cert, and the Windows services started up > just fine. > I was also able to verify its functionality by requesting some user > certs from it. > > Is there much difference between signing with the openssl command above > and the ca.pl perl script? It seems to me it is mainly helpful for > automating the process. >
Yes that's its main point: to make it easier to setup the appropriate file structure and perform some common operations without having to delve into the complexities of some of the commands. > One last question if you don't mind. I noticed the keysize for my > subordinate is 1024 bits. Where can I indicate the keysize when signing > the request? In the openssl.cnf file I used, I have 4096 listed in the > req section, but does this need to be placed elsewhere? It didn't work > when I placed it in the v3_ca section. > The key is contained in the request so when it is signed it uses whatever key is present. So if you want a larger key size you'll need to redo the request. If the root CA also has a key size of 1024 bits you should increase that too. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]