Le 26/08/2009 12:17, Peter Sylvester a écrit :
OK, then how do I re-issue my root CA certificate with my already
existing ca.key ?
If I could have a sample commande line for openssl it would help me .
something like
OPENSSL x509 -set_serial $SERIAL -clrext -extfile CA-EXTENSION.prm
-days $DURATION -CA $CAPREFIX-ca.cacert -CAkey $CAPREFIX-ca.key -in
$PREFIX-ca.crt -out $PREFIX-ca.der -outform der -sha256
thanks for the sample command line, howerver I don't get it clearly ...
what are $CAPREFIX-ca.cacert and $PREFIX-ca.crt !?
the -extfile CA-EXTENSION.prm could be a localy modified openssl.cnf ?
then the -clrext isn't clear to me "delete extensions before signing and
input certificate", in the 1st place , I do want to add extensions, why
ask openssl to delete them !?
Let me recall my needs:
Here's what I have: it_root_ca.crt
(http://ca.institut-telecom.fr/pki/IT_MASTER_CA/itrootca.crt) the
corresponding it_root_ca.key, I want to re-sign it_root_ca.crt in order
to add extensions, but need to re-sign it with it_root_ca.key so that my
PKI chain (sub CAs) and SSL servers certs below still works as usual.
Thanks a lot for your help .
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org