Hi, First, thanks for your answer. But I using crypt processor to generate key pair (rsa 1024), and the structure of certificate I implement the ASN.1 manually (I don't have memory enough to use openssl lib), because I using MSP430F5438A processor.Probably, I not explain correctly and attached file explain the procedures in my project, and I need follow these steps below:1 - My project generate CSR in PKCS#10 format (Implemented using my crypt processor to generate keys and sign the structure);2 - The CA receive my CSR in PKCS#10 format, generate the Certificate and send me in PKCS#7 format; (This step that I not understand to do);3 - Store the Certificate in Flash memory (Not Implemented yet, but is not difficult) The step 2 I try to use openssl, but I not understand, because there aren't examples how to implement Certificate. Thanks for helpLaerte Junior > From: dthomp...@prinpay.com > To: openssl-users@openssl.org > Subject: RE: How to do generate PKCS#7 to embedded system > Date: Mon, 14 Nov 2011 17:36:25 -0500 > > > From: owner-openssl-us...@openssl.org On Behalf Of Laerte Junior > > Sent: Saturday, 12 November, 2011 14:22 > > > I'm working with embedded system project and I need to receive > PKCS7 > > and store the fields(DN, signature, public key, etc.). Before, I generate > > a CSR to test (attached file), but now I need to generate PKCS7 to test. > > How to do it? I need to generate a small PKCS7 as possible. > > PKCS7 actually is (was designed as) a general format for > lots of things, including signed and/or encrypted data. > However, it is commonly used 'merely' to transfer one or more > certificate(s) and/or one or more CRL(s) -- nominally for use > to verify a related signeddata, but actually for any purpose. > > The fields you name are in a cert; do you want to receive a cert? > If so, you must first get a cert, corresponding to your CSR. > > Is this CSR from the 'embedded' system, or an outside one? > If the former, presumably what you want is to give the embedded > system a cert for its keypair; what kind of cert? If the latter, > why do you need to pre-transfer the cert rather than presenting > it when referenced? How it is used for trust decisions will > influence exactly which cert(s) (i.e. chain(s)) you need. > > If you want a selfsigned cert and have or can get its private > key, openssl can do that. Of course a selfsigned cert doesn't > generally deserve trust so this might not gain you much. > If you want a cert issued (signed) under your own CA (key)(s), > openssl can do that. If you want a cert issued under a public > or other outside CA, you need to interact with that CA. > Alternatively, if you just want a selfsigned cert for a > private key you have, openssl can do that directly. > > If this will be a cert for the system's own keypair to be > presented to others, storing only fields may be problematic. > You will need to reconstruct (at least) exactly the same DER > "cert-info" (aka TBS) as was in the issued or selfsigned cert. > If not selfsigned, you may need to have (and present) part of > the CA chain, up to (but not necessarily including) the trusted > CA root or other (subroot) cert already on (all) the relier(s). > > If you get the cert from a real CA, it might provide you a > 'degenerate' PKCS7 with your cert and any needed chain certs. > AFAIK openssl commandline cannot create this; 'pkcs7' *reads* > it (but doesn't write), and 'smime' optionally creates a real > pkcs7: at minimum this would be a detached signature (which your > receiver needn't and shouldn't verify) for data you discard. > You could write about a 10-line program using openssl library > to create a degenerate PKCS7 for a cert, or chain. > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org
<<attachment: Certificate_procedures.jpg>>
