LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   OpenSSL: generate Intermediate CA? (http://www.linuxquestions.org/questions/linux-security-4/openssl-generate-intermediate-ca-402471/)

new_to_open_ssl 01-12-2006 10:34 AM

OpenSSL: generate Intermediate CA?
 
basically I'm trying to figure out how to generate a Mid or intermediate CA. I currently have a CA key pair.

Here is the problem I need to generate a MID_CA(key/cert).pem pair and the documentation as yet I found on the net regarding this appears almost nil.

Does anyone know the command sequence to generate this from the CA?


//Moderator note: I merged three of your threads with the same subject (aka SPAM). While one was being transferred from another forum you should have waited. Please read the LQ rules you agreed to when you signed up and do not try to pull that stunt again.

ctkroeker 01-12-2006 02:58 PM

Please post your question in it's apropriate forum.
This post has been reported.

XavierP 01-12-2006 03:34 PM

Moved: This thread is more suitable in Linux-Security and has been moved accordingly to help your thread/question get the exposure it deserves.

Mara 01-12-2006 03:35 PM

Well...to Linux-Security...

new_to_open_ssl 01-12-2006 03:45 PM

Creating Mid_CA_CERT and MID_CA_KEY.pem
 
basically I'm trying to figure out how to generate a Mid or intermediate CA. I currently have a CA key pair.

Here is the problem I need to generate a MID_CA(key/cert).pem pair and the documentation as yet I found on the net regarding this appears almost nil.

Does anyone know the command sequence to generate this from the CA?

new_to_open_ssl 01-12-2006 03:56 PM

creating Intermediate CA
 
Does anyone have detailed instructions from the command line on how to create an interemediate certificate from a CA?

Basically I need to generate a a MID_CA_CERT.pem and MID_CA_KEY.pem

stickman 01-13-2006 10:08 AM

Read up on certificate chains. When dealing with certificates, it's basically about trusting the signer. You might need to add the signing CA certificate to the certificate chain. Of course, your browser will probably throw an error for that also if you have not imported the CA cert into your browser.

new_to_open_ssl 01-16-2006 11:19 AM

Question regarding Chains
 
Quote:

Originally Posted by stickman
Read up on certificate chains. When dealing with certificates, it's basically about trusting the signer. You might need to add the signing CA certificate to the certificate chain. Of course, your browser will probably throw an error for that also if you have not imported the CA cert into your browser.

I readup on certificate chains. Basically the intermediate chain I'm trying to is for a test environment for a printer. I've already generate the CAcert. I just can't find any clear documentation on how to manualy generate a intermediate certificate. Do you knwo the command or location of documentation that might help?


Is this the command set?

openssl req -new -config openssl.cnf \
-out proxy2.req -keyout proxy2.key
openssl x509 -req -CAcreateserial -in proxy2.req -days 7 \
-out proxy2.crt -CA proxy.crt -CAkey proxy.key \
-extfile openssl.cnf -extensions v3_proxy2

Thank you,
Ed

stickman 01-16-2006 10:11 PM

I'm a little confused on what you are attempting to do? What key did you use to sign the CSR for your printer? If you used your CA key, then there is no other intermediate certificate.

new_to_open_ssl 01-17-2006 09:23 AM

Quote:

Originally Posted by stickman
I'm a little confused on what you are attempting to do? What key did you use to sign the CSR for your printer? If you used your CA key, then there is no other intermediate certificate.

First I need to construct a intermediate CA. I'm not sure of the manual process to create this. The path should be intermediateCA->CA, I think. The correct command to do this are what I'm looking for.

stickman 01-17-2006 06:52 PM

What key did you sign the printer CSR with?

new_to_open_ssl 01-18-2006 03:23 PM

Quote:

Originally Posted by stickman
What key did you sign the printer CSR with?

I think the intermediate CA, but could be old MID CA. It's signed by teh printer and download to me desktop.

stickman 01-18-2006 08:31 PM

If the printer signed its own CSR, then there is no intermediate cert unless your printer manufactur provides it. If you signed the printer CSR with your OpenSSL CA key, then your OpenSSL CA cert is the next link in the chain. You can't just generate an intermediate CA cert and stuff it between two certs. The signatures must "cascade down" the links of the certificate chain.

new_to_open_ssl 01-20-2006 09:22 AM

Quote:

Originally Posted by stickman
If the printer signed its own CSR, then there is no intermediate cert unless your printer manufactur provides it. If you signed the printer CSR with your OpenSSL CA key, then your OpenSSL CA cert is the next link in the chain. You can't just generate an intermediate CA cert and stuff it between two certs. The signatures must "cascade down" the links of the certificate chain.


I figured out the intermediate part with, ./CA.pl -signCA. I'm worried that the Key file generated from newreq.pem also has the csr inside. will this affect the new key?

stickman 01-23-2006 10:58 PM

Quote:

Originally Posted by new_to_open_ssl
I figured out the intermediate part with, ./CA.pl -signCA. I'm worried that the Key file generated from newreq.pem also has the csr inside. will this affect the new key?

Do you mean the cert generated from the CSR? Most applications using SSL require just the initial key and the matching cert to start.


All times are GMT -5. The time now is 11:44 PM.