> From: owner-openssl-us...@openssl.org On Behalf Of Laerte Junior
> Sent: Wednesday, 16 November, 2011 06:23
> First, thanks for your answer.
> But I using crypt processor to generate key pair (rsa 1024),
> and the structure of certificate I implement the ASN.1 manually
> (I don't have memory enough to use openssl lib), because I using
> MSP430F5438A processor.
Okay.
> Probably, I not explain correctly and attached file explain
> the procedures in my project, and I need follow these steps below:
Aside: your figure says "Certificate encrypted by hardware key".
The certificate contains the key for your device, which is hardware
(apparently); and is signed by the CA's key, which may be hardware
or not (for openssl usually not). Certificates generally are
NOT encrypted, and certificates in PKCS#7 definitely are not.
Also the picture shows RA on the 'create' (issue) box and the
related text although terse is probably backward; if RA and CA
are separate (and often they aren't), it is really "RA issues
through CA" or "CA issues from or as a result of RA".
> 1 - My project generate CSR in PKCS#10 format (Implemented
> using my crypt processor to generate keys and sign the structure);
> 2 - The CA receive my CSR in PKCS#10 format, generate the
Certificate
> and send me in PKCS#7 format; (This step that I not understand to do);
> 3 - Store the Certificate in Flash memory (Not Implemented yet,
> but is not difficult)
> The step 2 I try to use openssl, but I not understand, because
> there aren't examples how to implement Certificate.
So you want to be the CA and issue a cert for the CSR
(thus publickey) from your device, for your device to use.
OpenSSL commandline 'ca' provides the technical part of a CA:
issue certs, record them (in a file), optionally revoke them.
It does not implement the business side of a real CA/RA
such as verifying identities and establishing policies;
it sounds like in your situation these aren't needed.
OpenSSL commandline 'x509' with option '-req' provides
the minimal function of simply issuing a cert from a CSR,
which may be all you need.
The man pages on your system (if Unixy and fully installed)
or on the website describe these capabilities in detail.
Basically you create a CA keypair and selfsigned (root) cert,
a file to specify the serialnumber, and for 'ca' a 'database'
file that is initially empty and depending on your options
and config possibly some directories. Then you run 'ca' or
'x509 -req' with options to read the CSR and issue the cert.
Note in both methods OpenSSL can include extensions in the
issued cert, but the method of doing so is slightly different.
If your device will use this cert for purposes (like SSL)
that need or want certain extensions, find out which
extensions/values before you do the cert-issue operation(s).
And decide and specify how long a validity period you want.
In both methods also you can set up multi-level CA hierarchy
if you want, but for a private CA this is usually unneeded.
Either method creates the cert by itself as a file (PEM or
DER). As I said, I don't believe any openssl commandline
function will create a 'degenerate' (cert-only) PKCS#7, which
is a signeddata with zero signerinfos (and zero digestalgs),
omitted or dummy content, and your cert(s). You could:
- (probably) write a tiny program using the PKCS7_* API;
on a quick scan it looks like you can just create a
(inner) PKCS7 and _set0_other(data,empty octet string), then a
(outer) PKCS7 and _set_type(,signed) and _set_content(,thatdata)
and _add_cert and write it out, but I haven't tested.
- write a small program to take a cert and build a degenerate
signeddata. If you understand DER enough to build a PKCS#10,
a PKCS#7 is no harder.
- use commandline 'smime' with '-pk7out' to create signeddata
WITH a signerinfo, PLUS the 'additional' cert(s) you want,
and have your device ignore the signature and just extract the
cert(s). The underlying data is omitted unless you specify
'-nodetach' or you can just use minimal dummy data.
- if on Windows, or you have a Windows machine available,
use InternetOptions (under ControlPanel, or from IE) to
import the cert to any convenient store, such as OtherPeople,
then export as PKCS#7. And clean up afterwards.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
