Thanks all for detailed reply,
demos/x509/mkcert.c approach:
I understood that I dont need to create Certificate signing request (CSR)
and I can directly create
X509 *My_cert ,
and sign it with my CA certificate/key.
demos/x509/mkreq.c approach:
Still i dont understand that, If I go with this approach, i create
X509_REQ *req,
I sign this certificate request with the new private key (csr's key).
THEN HOW CAN I CONVERT THIS CSR into Certificate using API?
for e.g. openssl have command "ca" that sign CSR and outs
the certificate.
HOW CAN I DO THIS USING API?
-
Saurabh
On 7/25/12, Saurabh Pandya <[email protected]> wrote:
> --> I have created my self signed CA (cert.pem) using following openssl
> commands
>
> 1) openssl req -config /etc/openssl.cnf -new -x509 -keyout private.key
> -out cert.pem -days 8000 -passin pass:"abcd" -passout pass:"abcd"
>
> 2) openssl ca -updatedb -config /etc/openssl.cnf -keyfile private.key
> -key "abcd" -cert cert.pem
>
>
> --> I want to use this CA and private key to sign other (server)
> certificates programmatically.
>
> I am aware about .../demo/x509/mkcert.cc and .../demo/x509.mkreq.cc sample
> apps
>
> --> QUESTIONS:
>
> Can I directly create X509 *cert, add stuff and sign it,
> straightforward (mkcert.cc).
> OR
> Need to create X509_REQ (as shown in mkreq.cc) first and then
> sign certificate
> request with CA
>
> (IS there any compulsion or advisory, that One SHOULD/MUST make
> certificate request
> before making certificate)
>
> Thanks,
> Saurabh
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
