Julien Beasley wrote:
>
> Dear SSL users,
>
> I apologize if this is an often asked question. I have been looking
> through the documentation, and experimenting, but I have not been able to
> do what I want to do.
>
> I have a private key that I created with
>
> /usr/local/ssl/bin/req -new -x509
>
> This key is now called privkey.pem
>
> I know want to create a new key/certificate pair
> /usr/local/ssl/bin/req -new -x509 -keyout keyb.pem > cert.pem
>
> I now have keyb.pem (the private key for keyb), and cert.pem (the public
> key for b (am I correct?)).
Yes, the self-signed certificate (according to -x509), not yet-to-be-signed
certificate request.
> What I now want to do is sign cert.pem with privkey.pem, so that people
> seeing cert.pem could be sure that it was trusted by privkey.pem.
You have already a certificate signed by a private key keyb.
> How can I do this?
Do you really need 2-step process: keypair generation and certificate signing?
"req -x509" can do all the job required.
> I tried
>
> /usr/local/ssl/bin/x509 -signkey privkey.pem <cert.pem > cert2.pem
>
> However, when I try to look at cert2 with
>
> /usr/local/ssl/bin/asn1parse < cert2.pem
>
> I see no mention of privkey... If anyone could tell me what I am doing
Please be sure a private key is never placed in a certificate so
it will not apper in asn1parse output
> wrong, I would be most appreciative. It certainly is asking me for the
> passphrase of privkey, so maybe it is signing correctly and I just don't
> know how to see it?
You can check whether a signature (made by someone's private key) can be
verified with his public key.
x509 did ask you for private key passphrase because you ask it to load
private key with "-signkey".
Hope this helps,
Vadim Fedukovich
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
