Long response short, yes, you can.
Prepare and fill in your X509 object, perform the signature with your EVP_PKEY
private key, format the resulting signature into a BIT STRING, place this BIT
STRING into your previous X509 object, complete it with the AlgorithmIdentifier
you choose when signing (it should already have been set in the TBSCertificate
structure, just copy it from there).
The resulting X.509 certificate can be used for anything and is not limited for
a SSL client verification usage.
In the previous paragraph, I assume your smart card contains the CA private
key, and you want to sign certificates (either subCA or subscriber, it doesn’t
matter). That’s how I understood your question.
If you want to do all this using only openssl CLI, that’s doable with a
specially crafted config file declaring your engine and its parameters.
Cordialement,
Erwann Abalea
> Le 22 juil. 2015 à 11:57, Anirudh Raghunath <anirudhraghun...@rocketmail.com>
> a écrit :
>
> Thanks for the quick response. I am currently working with smart cards and am
> using the engine provided by openSC to access the private key in the smart
> card. Long story short I have the EVP_PKEY object with me. Can I use this to
> sign a certificate or some file which can be used for SSL client
> verification.
>
> Merci
>
>
>
> On Wednesday, 22 July 2015 11:52 AM, Erwann Abalea
> <erwann.aba...@opentrust.com> wrote:
>
>
> Bonjour,
>
> An X.509 certificate is:
>
> Certificate ::= SEQUENCE {
> tbsCertificate TBSCertificate,
> signatureAlgorithm AlgorithmIdentifier,
> signatureValue BIT STRING }
>
> What you produced with « openssl rsautl -sign » is the content of the «
> signatureValue » element (not its BIT STRING structure, only the inner
> content).
> What is missing is all the rest, and it can’t be produced by the sole «
> openssl x509 … » command.
>
> Please refine your question.
>
> Cordialement,
> Erwann Abalea
>
>
>
>> Le 22 juil. 2015 à 11:17, Anirudh Raghunath <anirudhraghun...@rocketmail.com
>> <mailto:anirudhraghun...@rocketmail.com>> a écrit :
>>
>> Hello,
>>
>> I have used rsault -sign option to sign a text file which gives me a binary
>> file. I would like to convert this to X509 so that I can use it in a ssl
>> handshake. I understand the command:
>>
>> openssl x509 -inform <format> -in <certfile> -out <cert.pem>
>>
>> is used. I want to know what the parameters would be for a binary input file.
>>
>> Thanks in advance.
>> _______________________________________________
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>> <https://mta.openssl.org/mailman/listinfo/openssl-users>
>
>
>
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
