Thanks Dave for rectifying my reply. Indeed, I was not precise in my reply.
On Thu, Jul 26, 2012 at 12:06 AM, Dave Thompson <dthomp...@prinpay.com>wrote: > >From: owner-openssl-us...@openssl.org On Behalf Of Sukalp Bhople > >Sent: Wednesday, 25 July, 2012 08:45 > > >You will always have to create a certificate request using your private > key. > > True if you're using an external CA, but not if you're doing it yourself. > openssl commandline supports both options: you can create a req and use it > to issue a cert, or you can issue a self-signed cert directly. AFAICS there > isn't currently a utility that can directly issue non-self-signed, but > a program using openssl library, which is what the OP asked, can do that. > > >This certificate request is used to sign and create respective > certificate. > > Not true. Assuming there is a request, the CA uses data from it to create > the certificate (body), but the CA signs the certificate with the CA key, > not with the key in the request. (The key in the request, or more exactly > the privatekey matching the publickey in the request, is used to sign > the *request* as proof of possession, at least in PKCS#10.) > > > >On Wed, Jul 25, 2012 at 2:14 PM, Saurabh Pandya > <er.saurabhpan...@gmail.com> wrote: > > --> I have created my self signed CA (cert.pem) ... > > --> I want to use this CA and private key to sign other (server) > > certificates programmatically. > > > (IS there any compulsion or advisory, that One SHOULD/MUST make > > certificate request before making certificate) > > There is no requirement in the OpenSSL library; you can just build an X509 > body (certInfo) however you choose and then sign it. But you should be sure > the key you are certifying is correct; there are two basic ways: > > 1. Have the entity (server) generate its keypair, give you the publickey, > and tell you its identity for you to put in the certificate. Optionally > they might tell you other things they want in the cert, like KeyUsage. > This needs to be done securely, so that Mallory can't substitute his > key in Alice's request and thereby be enabled to impersonate Alice. > You could design your own scheme to do these things, but PKCS#10 already > does them well and is widely implemented and supported. > > 2. You generate the server keypair and a certificate for it, and give > both the privatekey and the cert to the server to use. There are several > ways to do this; PKCS#12 is the most common and is supported by OpenSSL. > If you own both the CA and the server(s), this works fine. > If the server(s) belong to someone else, that person or organization now > depends for their security on *you* securing the key(s) you issued them. > If the server(s) will be processing data that is encrypted because it has > value to somebody, be sure you are ready for this responsibility. > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > -- Regards, *Sukalp Bhople.*
