OpenSSL: generate Intermediate CA?
basically I'm trying to figure out how to generate a Mid or intermediate CA. I currently have a CA key pair.
Here is the problem I need to generate a MID_CA(key/cert).pem pair and the documentation as yet I found on the net regarding this appears almost nil. Does anyone know the command sequence to generate this from the CA? //Moderator note: I merged three of your threads with the same subject (aka SPAM). While one was being transferred from another forum you should have waited. Please read the LQ rules you agreed to when you signed up and do not try to pull that stunt again. |
Please post your question in it's apropriate forum.
This post has been reported. |
Moved: This thread is more suitable in Linux-Security and has been moved accordingly to help your thread/question get the exposure it deserves.
|
Well...to Linux-Security...
|
Creating Mid_CA_CERT and MID_CA_KEY.pem
basically I'm trying to figure out how to generate a Mid or intermediate CA. I currently have a CA key pair.
Here is the problem I need to generate a MID_CA(key/cert).pem pair and the documentation as yet I found on the net regarding this appears almost nil. Does anyone know the command sequence to generate this from the CA? |
creating Intermediate CA
Does anyone have detailed instructions from the command line on how to create an interemediate certificate from a CA?
Basically I need to generate a a MID_CA_CERT.pem and MID_CA_KEY.pem |
Read up on certificate chains. When dealing with certificates, it's basically about trusting the signer. You might need to add the signing CA certificate to the certificate chain. Of course, your browser will probably throw an error for that also if you have not imported the CA cert into your browser.
|
Question regarding Chains
Quote:
Is this the command set? openssl req -new -config openssl.cnf \ -out proxy2.req -keyout proxy2.key openssl x509 -req -CAcreateserial -in proxy2.req -days 7 \ -out proxy2.crt -CA proxy.crt -CAkey proxy.key \ -extfile openssl.cnf -extensions v3_proxy2 Thank you, Ed |
I'm a little confused on what you are attempting to do? What key did you use to sign the CSR for your printer? If you used your CA key, then there is no other intermediate certificate.
|
Quote:
|
What key did you sign the printer CSR with?
|
Quote:
|
If the printer signed its own CSR, then there is no intermediate cert unless your printer manufactur provides it. If you signed the printer CSR with your OpenSSL CA key, then your OpenSSL CA cert is the next link in the chain. You can't just generate an intermediate CA cert and stuff it between two certs. The signatures must "cascade down" the links of the certificate chain.
|
Quote:
I figured out the intermediate part with, ./CA.pl -signCA. I'm worried that the Key file generated from newreq.pem also has the csr inside. will this affect the new key? |
Quote:
|
All times are GMT -5. The time now is 01:11 PM. |