Thanks Viktor for your quick response. Even I am contesting the unnecessary usage of 3072 bit sized key.
Surprisingly, in the given scenario, if I write this line of code before modifying the certificate it works like a charm. pkcs7 = PKCS7_dup(pkcs7); Below is the flow of APIs 1) pkcs7 = PKCS7_dup(pkcs7); (I simply duplicate the value back to same pointer) 2) Generate key pair (new keys) 3) X509_set_pubkey 4) PEM_write_bio_PKCS7 (Create cert chain from PKCS value) The duplication is even done before any certificate key change. I fail to understand, why is that so. Thanks, Josh On Tue, Nov 9, 2010 at 12:02 PM, Victor Duchovni < victor.ducho...@morganstanley.com> wrote: > On Tue, Nov 09, 2010 at 11:42:14AM -0500, josh kirbey wrote: > > > Hi All, > > > > We are required to upgrade the sizes of private/public key pairs to 3072 > > bits from 1024 bits. > > Welcome to bureaucratic insanity. There is no rational basis for > this requirement. Even 2048 bits is excessively conservative for most > applications, you're likely much better off with 1280 or 1536-bit keys. > > > During the upgrade process, I pick the X509stack and pick the certificate > > and generate the new keys with 3072 bits size. Also, I am successfully > able > > to set the public key for this cert using the API X509_set_pubkey. Using > the > > new public key in the Cert and the new private key, we prepare a > certificate > > request that is to be sent to the CA server. > > > > Along with the new certificate request, we also send the Cert chain (PKCS > > value) to the provisioning server for verification. PKCS value is not > really > > touched here. On the provisioning end, when we call "X509_verify_cert" it > > always fails with the error, "Certificate Verification error : 7". this > > stands for X509_V_ERR_CERT_SIGNATURE_FAILURE > > If you modify a certificate, its signature will be invalid. > > -- > Viktor. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
