{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 可以哭但决不认输i 的问题《“an introduction to openssl programming.” article.》','https://www.manongdao.com/q-580351.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am newbie in openSSL library and PKI . I have simple question for openSSL experts.
Does anybody know how to create certificates for code samples in this article "An Introduction to OpenSSL programming (Part I/II)" by Eric Rescorla
www.rtfm.com/openssl-examples/part1.pdf
www.rtfm.com/openssl-examples/part2.pdf
I have downloaded source code from http://www.rtfm.com/openssl-examples The problem is that certificates are expired and I don't know how to create new root certificate.
How to create root certificate? How to create certificates for client and server app? Wich ciphering algorithm should I use? As far as i understand i shuld do the following:
- Create key pair. Secret and public keys.
- Create certificate request (p10 format).
- Create selfsigned root sertificate (x509 format).
Details is not clear from the article.
This is how I am trying to create certificates:
1) Creating CA private key and certificate request: openssl req -newkey rsa -keyout ./ca_key.pem out.pem -out ./ca_req.pem -days 1095 -passin pass:"password" -subj "some information about CA" -extensions v3_ca
2) Create self signed CA certificate openssl ca -create_serial -in ca_req.pem -out root.pem -days 1095 -passin pass:"password" -selfsign -extension v3_ca
3)generate server private key and request for certificate openssl req -newkey rsa -keyout server_key.pem out server_req.pem -days 1095 -passin pass:"password" -subj "some information about server"
4)create server certifiate (this certificate is not self signed. This certificate signed by CA private key) openssl ca -in server_req.pem -out server.pem -passin pass:"password"
5)generate user private key and request for certificate openssl req -newkey rsa -keyout user_key.pem out user_req.pem -days 1095 -passin pass:"password" -subj "some information about client"
6)create user certifiate (this certificate is not self signed. This certificate signed by CA private key) openssl ca -in user_req.pem -out client.pem -passin pass:"password"
I am not sure about "rsa" algorithm here. May be I shuold use other algorthm.
So i have root.pem, server.pem, client.pem I put client key and certificate to client.pem And the same thing for server.pem. ( The same way as in the articles sample certificates.)
But when i try to start server with these new generated certificates i have an error: "Couldn't open DH file."
When I put old DH file to current folder and server starts. (dh1024.pem What is it?)
The next step. I start client and I got another error message: "Cetrificate doesn't verify."
The error code is 20. Desciption for code 20 in x509_vfy.h is "unable to get issuer certificate locally"
All of this means that I have created certificates incorrectly. I don't know how to do it correctly.
Does anybody have an idea?
This is the solution. May be it is not optimal but it works. The only difference with question solution is option: "-des3 1024"
The error code is 20 "unable to get issuer certificate locally" is caused because there is no CA certificate Present . Both client and server certificate need to be signed by a common CA .