On 08/26/2009 04:24 PM, Peter Sylvester wrote:
Jehan PROCACCIA wrote:
Le 26/08/2009 12:17, Peter Sylvester a écrit :
OK, then how do I re-issue my root CA certificate with my already
existing ca.key ?
If I could have a sample commande line for openssl it would help me .
something like
OPENSSL x509 -set_serial $SERIAL -clrext -extfile CA-EXTENSION.prm
-days $DURATION -CA $CAPREFIX-ca.cacert -CAkey $CAPREFIX-ca.key -in
$PREFIX-ca.crt -out $PREFIX-ca.der -outform der -sha256
thanks for the sample command line, howerver I don't get it clearly ...
what are $CAPREFIX-ca.cacert and $PREFIX-ca.crt !?
the -extfile CA-EXTENSION.prm could be a localy modified openssl.cnf ?
then the -clrext isn't clear to me "delete extensions before signing
and input certificate", in the 1st place , I do want to add
extensions, why ask openssl to delete them !?
All $things are "variables":
$PREFIX is the cert that you want to modify (a copy or your root cert)
$CAPREFIX the key (and cert) you want to sign with (cert is used to
become issuer), agin your root cert and key.
CA_EXTENSION.prm is a complete set of extension that you want to have
with the initial
section containing extensions=whateverlistofextensions.
The original input cert contains extensions, they are "ignored" with
the -clrext.
Only the extensions from the config file are taken.
Ok, then in my case $PREFIX is it_root_ca.crt (PKI public cert) and
$CAPREFIX it_root_ca.key (PKI private key) .
but here's what I get :
[pkiitr...@localhost ~/New_IT_ROOT_CA/pki/ca]
$ openssl x509 -set_serial 01 -clrext -extfile openssl.cnf -days 3650
-CA it_root_ca.key -CAkey it_root_ca.key -in it_root_ca.crt -out
it_root_ca2.crt
unable to load certificate
4869:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:644:Expecting: TRUSTED CERTIFICATE
did I misunderstood you ?
here's my environement:
[pkiitr...@localhost ~/New_IT_ROOT_CA/pki/ca]
$ ls -l
total 140
drwxrwxr-x 3 pkiitroot pkiitroot 4096 Jul 15 17:59 certs
-rw-rw-r-- 1 pkiitroot pkiitroot 0 Jul 15 18:00 index.txt
-rw-rw-r-- 1 pkiitroot pkiitroot 2858 Jul 15 20:13 it_root_ca.crt
-rw-rw-r-- 1 pkiitroot pkiitroot 3311 Jul 15 20:13 it_root_ca.key
drwxrwxr-x 2 pkiitroot pkiitroot 4096 Jul 15 17:59 newcerts
-rw-r--r-- 1 pkiitroot pkiitroot 9873 Jul 16 03:19 openssl.cnf
drwxrwxr-x 2 pkiitroot pkiitroot 4096 Jul 15 17:59 private
-rw-rw-r-- 1 pkiitroot pkiitroot 3 Jul 15 18:00 serial
$ rpm -q openssl
openssl-0.9.8b-8.3.el5_0.2
Thanks .
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org