mmm
Reputation: 747
How to programatically issue a certificate from a self signed certificate with openssl?
I manage to create a self signed certificate, but now I would like to be able to issue other certificates with this self signed certificate. How can this be done in C using openssl library?
Upvotes: 1
Views: 1314
Answers (1)
pHagi
Reputation: 208
first create a certificate request and a private key:
X509_REQ *req;
EVP_PKEY *pk;
RSA *rsa;
X509_NAME *name=NULL;
if ((pk=EVP_PKEY_new()) == NULL)
return false;
if ((req=X509_REQ_new()) == NULL)
return false;
rsa=RSA_generate_key(SSL_KEY_BITS,RSA_F4,NULL,NULL);
if (!EVP_PKEY_assign_RSA(pk,rsa))
return false;
rsa=NULL;
X509_REQ_set_pubkey(req,pk);
name=X509_REQ_get_subject_name(req);
X509_NAME_add_entry_by_txt(name,"C",MBSTRING_ASC, "AT", -1, -1, 0);
X509_NAME_add_entry_by_txt(name,"CN", MBSTRING_ASC, "CommonName", -1, -1, 0);
if (!X509_REQ_sign(req,pk,EVP_sha1()))
return false;
return true;
sign the request with the ca private key, paramter: X509* cacert, EVP_PKEY* ca_key
#define SSL_KEY_DAYS 366*20
EVP_PKEY *pkey;
x509 *x=NULL; // temporary certificate
X509* ssl_cert=NULL;
X509_CINF *ci;
X509_STORE *ctx;
// Public Key Check
pkey=X509_REQ_get_pubkey(req);
if(pkey == NULL)
return false;
if (X509_REQ_verify(req,pkey) < 0)
return false;
EVP_PKEY_free(pkey);
ctx = X509_STORE_new();
X509_STORE_set_default_paths(ctx);
X509_set_version(x,2);
x=X509_new();
if (x == NULL)
return false;
ci=x->cert_info;
ASN1_INTEGER_set(X509_get_serialNumber(x),SSL_SERIAL);
if (!X509_set_issuer_name(x,req->req_info->subject))
return false;
if (!X509_set_subject_name(x,req->req_info->subject))
return false;
X509_gmtime_adj(X509_get_notBefore(x),0);
X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*SSL_KEY_DAYS);
pkey = X509_REQ_get_pubkey(req);
X509_set_pubkey(x,pkey);
EVP_PKEY *upkey;
X509_STORE_CTX xsc;
upkey = X509_get_pubkey(cacert);
EVP_PKEY_copy_parameters(upkey,pkey);
EVP_PKEY_free(upkey);
if(!X509_STORE_CTX_init(&xsc,ctx,x,NULL))
return false;
if (!X509_set_issuer_name(x,X509_get_subject_name(cacert)))
return false;
if(!X509_sign(x,ca_key,EVP_sha1()))
return false;
ssl_cert = X509_dup(x);
EVP_PKEY_free(pkey);
X509_STORE_CTX_cleanup(&xsc);
X509_STORE_free(ctx);
X509_free(x);
return true;
Upvotes: 4
Related Questions
- Programmatically Create X509 Certificate using OpenSSL
- Programmatically generate a CA Certificate with openssl in C++
- Programmatically verify a X509 certificate and private key match
- How to programmatically create a Certificate Signing Request (CSR)?
- programmatically convert an x509 certificate into human readable format using openssl api
- How to verify a X509 certificate in C
- How to set the Keyusage value to new openssl X509 certificate in c program?
- How do I create a self-signed certificate in OpenSSL programatically (i.e., not with the 'openssl' CLI command)?
- how to use ECDSA to create a self signed digital certificate programatically
- Programmatically input data in X509 Certificate using OpenSSL