> From: owner-openssl-us...@openssl.org On Behalf Of Laerte Junior > Sent: Saturday, 12 November, 2011 14:22
> I'm working with embedded system project and I need to receive PKCS7 > and store the fields(DN, signature, public key, etc.). Before, I generate > a CSR to test (attached file), but now I need to generate PKCS7 to test. > How to do it? I need to generate a small PKCS7 as possible. PKCS7 actually is (was designed as) a general format for lots of things, including signed and/or encrypted data. However, it is commonly used 'merely' to transfer one or more certificate(s) and/or one or more CRL(s) -- nominally for use to verify a related signeddata, but actually for any purpose. The fields you name are in a cert; do you want to receive a cert? If so, you must first get a cert, corresponding to your CSR. Is this CSR from the 'embedded' system, or an outside one? If the former, presumably what you want is to give the embedded system a cert for its keypair; what kind of cert? If the latter, why do you need to pre-transfer the cert rather than presenting it when referenced? How it is used for trust decisions will influence exactly which cert(s) (i.e. chain(s)) you need. If you want a selfsigned cert and have or can get its private key, openssl can do that. Of course a selfsigned cert doesn't generally deserve trust so this might not gain you much. If you want a cert issued (signed) under your own CA (key)(s), openssl can do that. If you want a cert issued under a public or other outside CA, you need to interact with that CA. Alternatively, if you just want a selfsigned cert for a private key you have, openssl can do that directly. If this will be a cert for the system's own keypair to be presented to others, storing only fields may be problematic. You will need to reconstruct (at least) exactly the same DER "cert-info" (aka TBS) as was in the issued or selfsigned cert. If not selfsigned, you may need to have (and present) part of the CA chain, up to (but not necessarily including) the trusted CA root or other (subroot) cert already on (all) the relier(s). If you get the cert from a real CA, it might provide you a 'degenerate' PKCS7 with your cert and any needed chain certs. AFAIK openssl commandline cannot create this; 'pkcs7' *reads* it (but doesn't write), and 'smime' optionally creates a real pkcs7: at minimum this would be a detached signature (which your receiver needn't and shouldn't verify) for data you discard. You could write about a 10-line program using openssl library to create a degenerate PKCS7 for a cert, or chain. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
