do not want to do it in production.
Aleksey Sanin.
http://www.aleksey.com/xmlsec
-------------------------------------------------------
A. Create new CA
> CA.pl -newca
> cp ./demoCA/cacert.pem .
> cp ./demoCA/private/cakey.pem .
> openssl x509 -text -in cacert.pem
B. Generate RSA key and second level CA
> openssl genrsa -out ca2key.pem
> openssl req -new -key ca2key.pem -out ca2req.pem
> openssl ca -cert cacert.pem -keyfile cakey.pem \
-out ca2cert.pem -infiles ca2req.pem
> openssl verify -CAfile cacert.pem ca2cert.pem
C. Sign DSA key with second level CA
> openssl req -new -key dsakey.pem -out dsareq.pem
> openssl ca -cert ca2cert.pem -keyfile ca2key.pem \
-out dsacert.pem -infiles dsareq.pem
> openssl verify -CAfile cacert.pem -untrusted ca2cert.pem dsacert.pem
D. Sign RSA key with second level CA
> openssl req -new -key rsakey.pem -out rsareq.pem
> openssl ca -cert ca2cert.pem -keyfile ca2key.pem \
-out rsacert.pem -infiles rsareq.pem
> openssl verify -CAfile cacert.pem -untrusted ca2cert.pem rsacert.pem
Howard Chan wrote:
048101c1dacc$f4e0eed0$086fa8c0@vrjyu">Hello OpenSSL experts,I've been experimenting, or more like playing around, with Openssl on Linux. This is what I'm trying to do with OpenSSL :
- create a self-signed root CA certificate
- create a private key and then a certificate request
- use the root CA cert to sign the certificate request, thereby making a user certificate
- finally, I want to verify the cert....(ie. verify -CApath _______ newcert.pem)
I'm no expert at this, but this is what I did (so far):
- I used 'openssl req -x509 -newkey rsa:1024 -keyout key.pem -out req.pem' for Step 1 above.
- I used 'openssl req -new -key privkey.pem -out cert.csr' for Step 2 above.
For Step 3 above, I tried using the 'ca' command but always returned an error (which is attached), saying that it could not find files in the ./demoCA directory. So I created a /demoCA directory on my machine containing the CA cert and it's private key and the serial and index files. But still, when I ran the 'ca' command the same error occurs.I know there's a CA.pl program....which I can utilize to do the cert creation...but how do I use that? Do I need to compile it or anything before I can use that program? I'm not sure.So I don't know what to do for Step 3 (sign a cert request with the CA root cert). I'm out of ideas.Please enlighten me with some ideas, or correct my errors if you could.Thanks alot.Best regards,H. Chan
Using configuration from /usr/share/ssl/openssl.cnf
./demoCA/private/cakey.pem: No such file or directory
trying to load CA private key
7740:error:02001002:system library:fopen:No such file or directory:bss_file.c:245:fopen('./demoCA/private/cakey.pem','r')
7740:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:247:
error in ca
