Bang !! Thanks Dave, I am agree with Sandy's comment about openssl API's documentation.
Thanks again, Saurabh On 7/28/12, Dave Thompson <dthomp...@prinpay.com> wrote: >> From: owner-openssl-us...@openssl.org On Behalf Of Saurabh Pandya >> Sent: Friday, 27 July, 2012 10:21 > >> On 7/27/12, Saurabh Pandya <er.saurabhpan...@gmail.com> wrote: >> >> Do roughly the same thing apps/ca.c does, except you probably don't >> >> need all its options but may want some other options: >> >> >> >> Create an X509 and set all needed X509_CINF fields in that X509 >> >> to values that you either extract from the X509_REQ and approve, >> >> or choose by your own logic (serial at least). Then sign the X509. >> > >> > Using My self-signed CA's private key, isn't it ?? >> > Yes. See below. > >> I am asking this as I have the basic question about >> certificate signing >> >> -> I have my self-sign CA "A" and CA key file "B" > > I assume that's CA-cert file A and CA-key file B > >> -> I create another RSA key pair "EVP_PKEY *pkey" to be used for >> child leaf certificates >> -> I create a certificate "X509 *x" (that supposed to >> be child of my CA) >> I am setting public key by, that will set public key >> part of rsa key "pkey", to my certificate "x" >> X509_set_pubkey(x,pkey) >> And I am signing certificate with my private key >> x509_sign(x,pkey) >> > No. That makes the child self-signed, not signed by the CA. > >> Then How can I make my normal server certificate >> "x" as a child of >> my CA certificate "A", do i need to sign it with "B". >> >> I am confuse which keys to set in X509_set_pubkey() >> and X509_sign >> when I want a certificate appeared to be issued by my CA. >> > X509_set_pubkey to (public part of) child's key (pkey) > X509_set_subject_name to name of the child > X509_set_issuer_name to name of the CA, specifically > X509_get_subject_name from the CA-cert in file A. > X509_set_serialNumber to a unique value you choose > (some CA's use actual serial numbers 1,2,3,... but most > nowadays use an obscured or totally random sequence) > X509_set_notBefore,notAfter as desired (usually notBefore=now > notAfter=now plus some interval like 3 months, 1 year, etc.) > X509_set_version depending on whether you do extensions or not > X509v3_add_ext or various X509V3_ routines for extensions > then X509_sign using (private part of) CA-key in file B > > and also save the child's privatekey for the child to use > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
