LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-12-2006, 09:34 AM   #1
new_to_open_ssl
LQ Newbie
 
Registered: Jan 2006
Posts: 10

Rep: Reputation: 0
Question OpenSSL: generate Intermediate CA?


basically I'm trying to figure out how to generate a Mid or intermediate CA. I currently have a CA key pair.

Here is the problem I need to generate a MID_CA(key/cert).pem pair and the documentation as yet I found on the net regarding this appears almost nil.

Does anyone know the command sequence to generate this from the CA?


//Moderator note: I merged three of your threads with the same subject (aka SPAM). While one was being transferred from another forum you should have waited. Please read the LQ rules you agreed to when you signed up and do not try to pull that stunt again.

Last edited by unSpawn; 01-12-2006 at 04:40 PM.
 
Old 01-12-2006, 01:58 PM   #2
ctkroeker
Senior Member
 
Registered: May 2005
Location: Paraguay
Posts: 1,565
Blog Entries: 1

Rep: Reputation: 50
Please post your question in it's apropriate forum.
This post has been reported.
 
Old 01-12-2006, 02:34 PM   #3
XavierP
Moderator
 
Registered: Nov 2002
Location: Kent, England
Distribution: Lubuntu
Posts: 19,176
Blog Entries: 4

Rep: Reputation: 430Reputation: 430Reputation: 430Reputation: 430Reputation: 430
Moved: This thread is more suitable in Linux-Security and has been moved accordingly to help your thread/question get the exposure it deserves.
 
Old 01-12-2006, 02:35 PM   #4
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,537

Rep: Reputation: 149Reputation: 149
Well...to Linux-Security...
 
Old 01-12-2006, 02:45 PM   #5
new_to_open_ssl
LQ Newbie
 
Registered: Jan 2006
Posts: 10

Original Poster
Rep: Reputation: 0
Creating Mid_CA_CERT and MID_CA_KEY.pem

basically I'm trying to figure out how to generate a Mid or intermediate CA. I currently have a CA key pair.

Here is the problem I need to generate a MID_CA(key/cert).pem pair and the documentation as yet I found on the net regarding this appears almost nil.

Does anyone know the command sequence to generate this from the CA?
 
Old 01-12-2006, 02:56 PM   #6
new_to_open_ssl
LQ Newbie
 
Registered: Jan 2006
Posts: 10

Original Poster
Rep: Reputation: 0
creating Intermediate CA

Does anyone have detailed instructions from the command line on how to create an interemediate certificate from a CA?

Basically I need to generate a a MID_CA_CERT.pem and MID_CA_KEY.pem
 
Old 01-13-2006, 09:08 AM   #7
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Read up on certificate chains. When dealing with certificates, it's basically about trusting the signer. You might need to add the signing CA certificate to the certificate chain. Of course, your browser will probably throw an error for that also if you have not imported the CA cert into your browser.
 
Old 01-16-2006, 10:19 AM   #8
new_to_open_ssl
LQ Newbie
 
Registered: Jan 2006
Posts: 10

Original Poster
Rep: Reputation: 0
Question regarding Chains

Quote:
Originally Posted by stickman
Read up on certificate chains. When dealing with certificates, it's basically about trusting the signer. You might need to add the signing CA certificate to the certificate chain. Of course, your browser will probably throw an error for that also if you have not imported the CA cert into your browser.
I readup on certificate chains. Basically the intermediate chain I'm trying to is for a test environment for a printer. I've already generate the CAcert. I just can't find any clear documentation on how to manualy generate a intermediate certificate. Do you knwo the command or location of documentation that might help?


Is this the command set?

openssl req -new -config openssl.cnf \
-out proxy2.req -keyout proxy2.key
openssl x509 -req -CAcreateserial -in proxy2.req -days 7 \
-out proxy2.crt -CA proxy.crt -CAkey proxy.key \
-extfile openssl.cnf -extensions v3_proxy2

Thank you,
Ed

Last edited by new_to_open_ssl; 01-16-2006 at 10:34 AM.
 
Old 01-16-2006, 09:11 PM   #9
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
I'm a little confused on what you are attempting to do? What key did you use to sign the CSR for your printer? If you used your CA key, then there is no other intermediate certificate.
 
Old 01-17-2006, 08:23 AM   #10
new_to_open_ssl
LQ Newbie
 
Registered: Jan 2006
Posts: 10

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by stickman
I'm a little confused on what you are attempting to do? What key did you use to sign the CSR for your printer? If you used your CA key, then there is no other intermediate certificate.
First I need to construct a intermediate CA. I'm not sure of the manual process to create this. The path should be intermediateCA->CA, I think. The correct command to do this are what I'm looking for.
 
Old 01-17-2006, 05:52 PM   #11
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
What key did you sign the printer CSR with?
 
Old 01-18-2006, 02:23 PM   #12
new_to_open_ssl
LQ Newbie
 
Registered: Jan 2006
Posts: 10

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by stickman
What key did you sign the printer CSR with?
I think the intermediate CA, but could be old MID CA. It's signed by teh printer and download to me desktop.
 
Old 01-18-2006, 07:31 PM   #13
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
If the printer signed its own CSR, then there is no intermediate cert unless your printer manufactur provides it. If you signed the printer CSR with your OpenSSL CA key, then your OpenSSL CA cert is the next link in the chain. You can't just generate an intermediate CA cert and stuff it between two certs. The signatures must "cascade down" the links of the certificate chain.
 
Old 01-20-2006, 08:22 AM   #14
new_to_open_ssl
LQ Newbie
 
Registered: Jan 2006
Posts: 10

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by stickman
If the printer signed its own CSR, then there is no intermediate cert unless your printer manufactur provides it. If you signed the printer CSR with your OpenSSL CA key, then your OpenSSL CA cert is the next link in the chain. You can't just generate an intermediate CA cert and stuff it between two certs. The signatures must "cascade down" the links of the certificate chain.

I figured out the intermediate part with, ./CA.pl -signCA. I'm worried that the Key file generated from newreq.pem also has the csr inside. will this affect the new key?
 
Old 01-23-2006, 09:58 PM   #15
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Quote:
Originally Posted by new_to_open_ssl
I figured out the intermediate part with, ./CA.pl -signCA. I'm worried that the Key file generated from newreq.pem also has the csr inside. will this affect the new key?
Do you mean the cert generated from the CSR? Most applications using SSL require just the initial key and the matching cert to start.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IMAPS over SSL (imapd.pem) and Ms-Outlook nateh Linux - General 4 12-20-2009 02:45 AM
crl.pem and Oulook PcHammer Linux - Software 0 01-27-2005 02:39 AM
how to convert pem-certificate? overlord73 Linux - Security 4 01-26-2005 05:58 AM
unable to create imapd.pem file manish_2479 Linux - Networking 0 09-13-2004 03:55 PM
Pem certificate perhaps silva Linux - Newbie 1 07-17-2003 05:00 AM


All times are GMT -5. The time now is 04:21 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration