In message <[EMAIL PROTECTED]> on Thu, 23 Sep 2004 10:19:38 +0200, Bernhard Froehlich <[EMAIL PROTECTED]> said:
ted> Richard Levitte - VMS Whacker wrote: ted> ted> >[...] ted> >First, use 'openssl x509 -x509toreq' to create a CSR from the ted> >certificate you want to cross-certify, then use 'openssl ca' to sign ted> >it, and use a specific extension section in the configuration file ted> >(use the -extensions option). Alternatively, the CA you want to ted> >cross-certify with could send you the CSR they used to create their CA ted> >certificate, and you could send them yours. ted> > ted> Should the two CA-Certs be self-signed? Not necessarely. ted> I think they have to be or else they cannot sign other requests. Incorrect. First of all, a certificate is not used to sign a request, the corresponding private key is. The certificate contains a public key with thich the signature in subordinate certificates are verified. If we extend what you say to "or else they cannot verify subordinate certificates", the whole exercise with cross-certification would become moot, since that creates an intermediate CA certificate. I CA certitificate doesn't have to be self-signed. Doing a cross certification is to sign a new certificate for the CA you're cross certifying with, and thereby creating a certificate path with more than just one level. ted> And if this is so, how to I merge the two certs (the self-signed ted> one and the cross-signed) into one single cert, which can to be ted> imported into a browser? That is an entirely different question. You can place all relevant certificates in a PKCS#12 file, or just concatenate them in one .PEM file. ted> Just being a bit confused... Yes, but I'm not surprised, there's a lot of confusion in this field. Cheers, Richard ----- Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
