hi,
Sorry for asking this kind of question again but I've checked the archive and
didn't find a working answer for me :(
I'd like to create a chain certificate using Linux. Please correct me if I'm
wrong in the following :
Steve said :
"First the root certificate : openssl req -x509 -new -keyout root.pem -out
root.pem -days 512".
Ok, "x509" outputs a self signed certificate instead of a certificate request,
so we have a complete root CA, certificate and the key going to the same file.
Then he said :
"request for the intermediate CA : openssl req -out careq.pem -new - keyout
cacert.pem".
Ok, it outputs a certificate request in careq.pem because -x509 isn't present.
Do I have to create this intermediate CA ? I mean, isn't a root CA then a CA
enough ? Do I have to obtain three levels in the hierarchy ?
Then he said :
"sign it using x509 : openssl x509 -req -in careq.pem -extfile <path to config
file> -extensions v3_ca -CA root.pem -CAcreateserial -days 500 >>cacert.pem"
Here I have a link between root CA and intermediate CA since "-CA root.pem" is
used.
Then he said :
"openssl crl2pkcs7 -nocrl -certfile usercert.pem -certfile cacert.pem -out
final.pem".
Where does the usercert.pem file comes from ?
How can I create this certificate ?
How to "link" this third certificate with the second one I've just signed ?
Will the hierarchy still be present in the third certificate ?
In one word, will the "-chain" parameter of the pkcs12 command work once the
third certificate created ?
Thx,
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
