I hope I'm using this mailing list correctly, as this is the 1st time I've used a
majordomo service. If I'm using the mailing list incorrectly, I appologize in
advance! Anyway, here is my question:
I want to create a certificate that is self signed, which will be used for an https
connection and will be issued by my web server. I think have successfully created
such a certificate with the SSLeay library (see code below). However, whenever a
browser such as Internet Explorer "Installs the Certificate" I have created, the
certificate ends up getting installed to IE's "Intermediate Certification Authorities"
category of certificates. (You can find the list of certificates and categories in IE
under Tools->Internet Options->Content, then click on the "Certificates¡" button).
When the certificate gets installed to this category, every subsequent time a user
connects to my server, IE gives a warning that says the certificate is not from a
trusted company. I want to give the user the option to "Install the Certificate" into
the "Trusted Root Certification Authorities" category, so after a user has installed
my certificate, each subsequent time the user connects to my serv
er, IE will not give a warning. The web server that will be distributing my
self-signed certificate is going to be on a local network. I am mainly using the
certificate for encrypted data transmission purposes, not for server
identification/authentication.
And if you are wondering why I¡¯m not using the command line "openssl" command to
generate a certificate, it is because the web server I¡¯m using is developed by me and
I want the server itself to do the certificate generation.
Here is the code that creates a key and my self signed certificate. The key is
generated by the 1st function and then passed onto the 2nd function. Thanks.
EVP_PKEY * gen_key()
{
EVP_PKEY *pkey = NULL;
RSA *rsakey;
if(!(pkey = EVP_PKEY_new())) {
//printf("Failed to create new key\n");
return NULL;
}
if(!(rsakey = RSA_generate_key(1024, 0x10001, NULL, NULL))) {
//printf("Failed to create rsa key\n");
return NULL;
}
if(!(EVP_PKEY_assign_RSA(pkey, rsakey))) {
//printf("Failed to assign key\n");
return NULL;
}
return pkey;
}
--------------------------------------------------------------------------
X509 * gen_certificate(EVP_PKEY *pkey)
{
int i;
X509 *x509ss = NULL;
X509_NAME *subj = NULL;
X509_NAME *issuer = NULL;
if(!(x509ss = X509_new())) {
//printf("Failed to create new certificate\n");
return NULL;
}
if(!(X509_set_version(x509ss, 2))) {
//printf("Failed to set version of certificate\n");
return NULL;
}
if(!(ASN1_INTEGER_set(X509_get_serialNumber(x509ss),0L))) {
//printf("Failed to set serial number\n");
return NULL;
}
if(!(X509_set_pubkey(x509ss, pkey))) {
//printf("Failed to set key of certificate\n");
return NULL;
}
subj = X509_get_subject_name(x509ss);
X509_NAME_add_entry_by_txt(subj, "CN", MBSTRING_ASC, (unsigned char *)¡±server
name/IP¡±, -1, -1, 0);
if(!(X509_set_subject_name(x509ss, subj))) {
//printf("Failed to set subject name\n");
return NULL;
}
issuer = X509_get_issuer_name(x509ss);
X509_NAME_add_entry_by_txt(issuer, "CN", MBSTRING_ASC, (unsigned char *)¡±Generic
Name¡±, -1, -1, 0);
if (!(X509_set_issuer_name(x509ss, issuer))) {
//printf("Failed to set issuer name\n");
return NULL;
}
// Set the validity time to start a day before, thus the negative number
if(!(X509_gmtime_adj(X509_get_notBefore(x509ss),-(60*60*24)))) {
//printf("Failed to set notBefore time\n");
return NULL;
}
// Set the validity to end SSL_DAYS later
if(!(X509_gmtime_adj(X509_get_notAfter(x509ss), 60*60*24*SSL_DAYS))) {
//printf("Failed to set notAfter time\n");
return NULL;
}
// Sign it
if(!(X509_sign(x509ss, pkey, EVP_md5()))) {
//printf("Signing failed\n");
return NULL;
}
return x509ss;
}
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
