In message <[EMAIL PROTECTED]> on Thu, 23 Sep 2004 02:00:41 +0400, Toxa <[EMAIL PROTECTED]> said:
postfix> Hi everyone. postfix> I'm using openssl to build Certificate Authorities, in order postfix> to play with PKI. In PKI, there is a procedure exists, called postfix> "cross-certification", when two separate CA both signs their postfix> special requests to make cross-certificates. The goal postfix> achieved by cross-certification is that users of one CA postfix> becomes "trusted" for users of another CA, even if they don't postfix> have CA root certificate installed, and those two CAs has not postfix> any relationship except cross-certification. postfix> postfix> Is there any method to make cross-certificate requests and issue cross postfix> certificates in openssl? I can find no information about postfix> cross-certification in OpenSSL CA world... First, use 'openssl x509 -x509toreq' to create a CSR from the certificate you want to cross-certify, then use 'openssl ca' to sign it, and use a specific extension section in the configuration file (use the -extensions option). Alternatively, the CA you want to cross-certify with could send you the CSR they used to create their CA certificate, and you could send them yours. Cross-certification is really not that magic. You do need to keep track of policies, how you map policies, path lengths and things like that, which is why I suggest you have a specific configuration section for this purpose. Of course, you might just not care, and in that case, the extension v3_ca should be good enough. Cheers, Richard ----- Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
