Jehan PROCACCIA wrote:
Le 26/08/2009 12:17, Peter Sylvester a écrit :
OK, then how do I re-issue my root CA certificate with my already
existing ca.key ?
If I could have a sample commande line for openssl it would help me .
something like
OPENSSL x509 -set_serial $SERIAL -clrext -extfile CA-EXTENSION.prm
-days $DURATION -CA $CAPREFIX-ca.cacert -CAkey $CAPREFIX-ca.key -in
$PREFIX-ca.crt -out $PREFIX-ca.der -outform der -sha256
thanks for the sample command line, howerver I don't get it clearly ...
what are $CAPREFIX-ca.cacert and $PREFIX-ca.crt !?
the -extfile CA-EXTENSION.prm could be a localy modified openssl.cnf ?
then the -clrext isn't clear to me "delete extensions before signing
and input certificate", in the 1st place , I do want to add
extensions, why ask openssl to delete them !?
All $things are "variables":
$PREFIX is the cert that you want to modify (a copy or your root cert)
$CAPREFIX the key (and cert) you want to sign with (cert is used to
become issuer), agin your root cert and key.
CA_EXTENSION.prm is a complete set of extension that you want to have
with the initial
section containing extensions=whateverlistofextensions.
The original input cert contains extensions, they are "ignored" with the
-clrext.
Only the extensions from the config file are taken.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
