> From: owner-openssl-us...@openssl.org On Behalf Of Saurabh Pandya > Sent: Friday, 27 July, 2012 10:21
> On 7/27/12, Saurabh Pandya <er.saurabhpan...@gmail.com> wrote: > >> Do roughly the same thing apps/ca.c does, except you probably don't > >> need all its options but may want some other options: > >> > >> Create an X509 and set all needed X509_CINF fields in that X509 > >> to values that you either extract from the X509_REQ and approve, > >> or choose by your own logic (serial at least). Then sign the X509. > > > > Using My self-signed CA's private key, isn't it ?? > Yes. See below. > I am asking this as I have the basic question about > certificate signing > > -> I have my self-sign CA "A" and CA key file "B" I assume that's CA-cert file A and CA-key file B > -> I create another RSA key pair "EVP_PKEY *pkey" to be used for > child leaf certificates > -> I create a certificate "X509 *x" (that supposed to > be child of my CA) > I am setting public key by, that will set public key > part of rsa key "pkey", to my certificate "x" > X509_set_pubkey(x,pkey) > And I am signing certificate with my private key > x509_sign(x,pkey) > No. That makes the child self-signed, not signed by the CA. > Then How can I make my normal server certificate > "x" as a child of > my CA certificate "A", do i need to sign it with "B". > > I am confuse which keys to set in X509_set_pubkey() > and X509_sign > when I want a certificate appeared to be issued by my CA. > X509_set_pubkey to (public part of) child's key (pkey) X509_set_subject_name to name of the child X509_set_issuer_name to name of the CA, specifically X509_get_subject_name from the CA-cert in file A. X509_set_serialNumber to a unique value you choose (some CA's use actual serial numbers 1,2,3,... but most nowadays use an obscured or totally random sequence) X509_set_notBefore,notAfter as desired (usually notBefore=now notAfter=now plus some interval like 3 months, 1 year, etc.) X509_set_version depending on whether you do extensions or not X509v3_add_ext or various X509V3_ routines for extensions then X509_sign using (private part of) CA-key in file B and also save the child's privatekey for the child to use ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
