On 10/31/05, Rajeshwar Singh Jenwar <[EMAIL PROTECTED]> wrote:
Hi Steve,I just want to expand this thread.Can u help me ?I want create root CA using openssl(0.9.8) on linux box(kernel 2.6.10). Then i want to create intermediate CAs signed by the root CA using openssl. Can you suggest me how this is possible ??
This is peanuts ;)
You need to create two databases ... the RA and the CA.
The RA has a self-signed cert ...
Then the CA requests to the RA to sign a cert for him ... in the RA.conf file, it must sign the certs with basicConstraints = CA:true
In the CA database, configure the CA.conf to use the ca cert and private key the RA just signed ... Also, the certs signed by the CA should have basicConstraints = CA:false (for end-users). From then on, the RA basically can only emit certs for other CAs ... and these CA can emit certs for end-users ...
I hope this is what you wanted ....
Cesc
Thanks in advance.Rajeshwar Singh
On 10/31/05, Dr. Stephen Henson <[EMAIL PROTECTED] > wrote:On Mon, Oct 31, 2005, Cesc wrote:
>
>
> For the sake of completion in this thread, this is what i did ...
> openssl crl2pkcs7 -nocrl -certfile user.pem -certfile intermediate.pem-certfile
> root.pem -outform DER -out user.p7c
> Actually, the root.pem cert needs not be included ... as long as it is in
> the trusted certs repository it all works fine.
>
> I got this to work in windows (add root.pem as trusted, then double click on
> user.p7c and it says trusted).
Ah, the PKCS#7 stuff was when you were installing the certificate
corresponding to a private key.
If you just want a browser to trust anything signed by the root CA you just
need to install the root CA as trusted.
It is the peers responsibility to send out intermiediate certificates (at
least for SSL and normally for S/MIME too).
> But, will this user.p7c be accepted on the setup of the web server (apache)?
> i tried using it with s_server ... no luck.
For those cases you can include the certificates in the trusted store ( e.g.
concatenate them and use the -CAfile option) or include the intermediate CA in
the extra certificates option for Apache.
You can use s_client to check they are all sent out when you connect.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
