Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
|
01-12-2006, 09:34 AM
|
#1
|
LQ Newbie
Registered: Jan 2006
Posts: 10
Rep:
|
OpenSSL: generate Intermediate CA?
basically I'm trying to figure out how to generate a Mid or intermediate CA. I currently have a CA key pair.
Here is the problem I need to generate a MID_CA(key/cert).pem pair and the documentation as yet I found on the net regarding this appears almost nil.
Does anyone know the command sequence to generate this from the CA?
//Moderator note: I merged three of your threads with the same subject (aka SPAM). While one was being transferred from another forum you should have waited. Please read the LQ rules you agreed to when you signed up and do not try to pull that stunt again.
Last edited by unSpawn; 01-12-2006 at 04:40 PM.
|
|
|
01-12-2006, 01:58 PM
|
#2
|
Senior Member
Registered: May 2005
Posts: 1,565
Rep:
|
Please post your question in it's apropriate forum.
This post has been reported.
|
|
|
01-12-2006, 02:34 PM
|
#3
|
Moderator
Registered: Nov 2002
Location: Kent, England
Distribution: Debian Testing
Posts: 19,192
|
Moved: This thread is more suitable in Linux-Security and has been moved accordingly to help your thread/question get the exposure it deserves.
|
|
|
01-12-2006, 02:35 PM
|
#4
|
Moderator
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,696
|
Well...to Linux-Security...
|
|
|
01-12-2006, 02:45 PM
|
#5
|
LQ Newbie
Registered: Jan 2006
Posts: 10
Original Poster
Rep:
|
Creating Mid_CA_CERT and MID_CA_KEY.pem
basically I'm trying to figure out how to generate a Mid or intermediate CA. I currently have a CA key pair.
Here is the problem I need to generate a MID_CA(key/cert).pem pair and the documentation as yet I found on the net regarding this appears almost nil.
Does anyone know the command sequence to generate this from the CA?
|
|
|
01-12-2006, 02:56 PM
|
#6
|
LQ Newbie
Registered: Jan 2006
Posts: 10
Original Poster
Rep:
|
creating Intermediate CA
Does anyone have detailed instructions from the command line on how to create an interemediate certificate from a CA?
Basically I need to generate a a MID_CA_CERT.pem and MID_CA_KEY.pem
|
|
|
01-13-2006, 09:08 AM
|
#7
|
Senior Member
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552
Rep:
|
Read up on certificate chains. When dealing with certificates, it's basically about trusting the signer. You might need to add the signing CA certificate to the certificate chain. Of course, your browser will probably throw an error for that also if you have not imported the CA cert into your browser.
|
|
|
01-16-2006, 10:19 AM
|
#8
|
LQ Newbie
Registered: Jan 2006
Posts: 10
Original Poster
Rep:
|
Question regarding Chains
Quote:
Originally Posted by stickman
Read up on certificate chains. When dealing with certificates, it's basically about trusting the signer. You might need to add the signing CA certificate to the certificate chain. Of course, your browser will probably throw an error for that also if you have not imported the CA cert into your browser.
|
I readup on certificate chains. Basically the intermediate chain I'm trying to is for a test environment for a printer. I've already generate the CAcert. I just can't find any clear documentation on how to manualy generate a intermediate certificate. Do you knwo the command or location of documentation that might help?
Is this the command set?
openssl req -new -config openssl.cnf \
-out proxy2.req -keyout proxy2.key
openssl x509 -req -CAcreateserial -in proxy2.req -days 7 \
-out proxy2.crt -CA proxy.crt -CAkey proxy.key \
-extfile openssl.cnf -extensions v3_proxy2
Thank you,
Ed
Last edited by new_to_open_ssl; 01-16-2006 at 10:34 AM.
|
|
|
01-16-2006, 09:11 PM
|
#9
|
Senior Member
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552
Rep:
|
I'm a little confused on what you are attempting to do? What key did you use to sign the CSR for your printer? If you used your CA key, then there is no other intermediate certificate.
|
|
|
01-17-2006, 08:23 AM
|
#10
|
LQ Newbie
Registered: Jan 2006
Posts: 10
Original Poster
Rep:
|
Quote:
Originally Posted by stickman
I'm a little confused on what you are attempting to do? What key did you use to sign the CSR for your printer? If you used your CA key, then there is no other intermediate certificate.
|
First I need to construct a intermediate CA. I'm not sure of the manual process to create this. The path should be intermediateCA->CA, I think. The correct command to do this are what I'm looking for.
|
|
|
01-17-2006, 05:52 PM
|
#11
|
Senior Member
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552
Rep:
|
What key did you sign the printer CSR with?
|
|
|
01-18-2006, 02:23 PM
|
#12
|
LQ Newbie
Registered: Jan 2006
Posts: 10
Original Poster
Rep:
|
Quote:
Originally Posted by stickman
What key did you sign the printer CSR with?
|
I think the intermediate CA, but could be old MID CA. It's signed by teh printer and download to me desktop.
|
|
|
01-18-2006, 07:31 PM
|
#13
|
Senior Member
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552
Rep:
|
If the printer signed its own CSR, then there is no intermediate cert unless your printer manufactur provides it. If you signed the printer CSR with your OpenSSL CA key, then your OpenSSL CA cert is the next link in the chain. You can't just generate an intermediate CA cert and stuff it between two certs. The signatures must "cascade down" the links of the certificate chain.
|
|
|
01-20-2006, 08:22 AM
|
#14
|
LQ Newbie
Registered: Jan 2006
Posts: 10
Original Poster
Rep:
|
Quote:
Originally Posted by stickman
If the printer signed its own CSR, then there is no intermediate cert unless your printer manufactur provides it. If you signed the printer CSR with your OpenSSL CA key, then your OpenSSL CA cert is the next link in the chain. You can't just generate an intermediate CA cert and stuff it between two certs. The signatures must "cascade down" the links of the certificate chain.
|
I figured out the intermediate part with, ./CA.pl -signCA. I'm worried that the Key file generated from newreq.pem also has the csr inside. will this affect the new key?
|
|
|
01-23-2006, 09:58 PM
|
#15
|
Senior Member
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552
Rep:
|
Quote:
Originally Posted by new_to_open_ssl
I figured out the intermediate part with, ./CA.pl -signCA. I'm worried that the Key file generated from newreq.pem also has the csr inside. will this affect the new key?
|
Do you mean the cert generated from the CSR? Most applications using SSL require just the initial key and the matching cert to start.
|
|
|
All times are GMT -5. The time now is 06:31 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|