Basically, you have to create a CA at first. This means to have a private key to sign certificates. The private key needs to be kept under very strict security. (create by; openssl genrsa ...)
The first cert you create is a self-signed root certificate. This includes the public key (openssl req -new -x509 ...) This certificate needs to be trusted by the clients. The client requests are signed by the CA, see last posting. You have to understand the openssl.cnf, because you need to adapt this file. See info on openssl.org and documentation! (But beware, some of the online docu reflects future options of the software, as it describes 0,9,7 and 0.9.6g is used for production systems, normally.) Googling for keywords may help a lot. Best regards, Michael Am 2002-11-07 22:37 Uhr schrieb "Oblio" unter <[EMAIL PROTECTED]>: > Ok, I know it's very basic, it's just that there's no easy starting point > for someone who's never done this. > > First, understand that I'm attempting all this under WinNT, and I couldn't > even get the thing to compile. Fortunately, the folks at > shininglightpro.com posted a win32 port, so at least I have the > executable. However, I don't have any of the manuals (although, I can kind > of read through the .pods). > > I have a cert request that I want to sign, and I don't know how to go about > it. If I do what you suggest, and use the ca command, it's looking for a > config file (which I don't have, nor do I know what's supposed to be in > it). I've tried using the x509 command, and I get closer, but it's either > looking for a key, or a trusted cert. Do I just generate an RSA (or some > other kind?) of key? If so, don't I need to distribute a public key to > challenge the cert with? > > This really isn't very straight forward, and I can use all the help I can get. > > Thanks, > Oblio > > At 11/7/2002 09:52 PM +0100, you wrote: >> this is very basic. >> >> pkcs#10 is the standard request format. >> under normal circumstances, the client ( person who requests a certificate) >> sends a pkcs#10 to the ca and the ca signs this request. >> >> in openssl this is done with >> >> openssl ca -in thePKCS#10.pem -out theCert.pem, >> >> using different options for CA-name, validity, keyfile, directories, >> extensions, batch mode, ... >> you find this with >> >> man ca >> >> Best regards, >> Michael >> >> Am 2002-11-07 21:30 Uhr schrieb "Oblio" unter <[EMAIL PROTECTED]>: >> >>> Does anyone know what to do with a PKCS#10 cert request? >>> >>> Oblio >>> >>> ______________________________________________________________________ >>> OpenSSL Project http://www.openssl.org >>> User Support Mailing List [EMAIL PROTECTED] >>> Automated List Manager [EMAIL PROTECTED] >> >> -- >> ************************************************************************ >> Karl-Michael Werzowa >> A-1190 Wien, Paradisgasse 28/4/6 >> +43 (664)302 4511, fax +43 (1)328 1992 14 >> [EMAIL PROTECTED], [EMAIL PROTECTED] >> ************************************************************************ >> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List [EMAIL PROTECTED] >> Automated List Manager [EMAIL PROTECTED] > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- ************************************************************************ Karl-Michael Werzowa A-1190 Wien, Paradisgasse 28/4/6 +43 (664)302 4511, fax +43 (1)328 1992 14 [EMAIL PROTECTED], [EMAIL PROTECTED] ************************************************************************ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
