This allows intermediate CAs to be created more easily.
PKCS12_create() now checks private key matches certificate.
Fix typo in x509 app.
Update docs.
New function ASN1_STRING_to_UTF8() converts any ASN1_STRING
type to UTF8.
"-infiles newreq.pem");
$RET=$?;
print "Signed certificate is in newcert.pem\n";
+ } elsif (/^(-signCA)$/) {
+ system ("$CA -policy policy_anything -out newcert.pem " .
+ "-extensions v3_ca -infiles newreq.pem");
+ $RET=$?;
+ print "Signed CA certificate is in newcert.pem\n";
} elsif (/^-signcert$/) {
system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " .
"-out tmp.pem");
}
else if (subject == i)
{
- print_name(STDout, "issuer= ",
+ print_name(STDout, "subject= ",
X509_get_subject_name(x), nmflag);
}
else if (serial == i)
{
int str_type;
int ret;
+ char free_out;
int outform, outlen;
ASN1_STRING *dest;
unsigned char *p;
}
if(!out) return str_type;
if(*out) {
+ free_out = 0;
dest = *out;
if(dest->data) {
dest->length = 0;
}
dest->type = str_type;
} else {
+ free_out = 1;
dest = ASN1_STRING_type_new(str_type);
if(!dest) {
ASN1err(ASN1_F_ASN1_MBSTRING_COPY,
break;
}
if(!(p = OPENSSL_malloc(outlen + 1))) {
- ASN1_STRING_free(dest);
+ if(free_out) ASN1_STRING_free(dest);
ASN1err(ASN1_F_ASN1_MBSTRING_COPY,ERR_R_MALLOC_FAILURE);
return -1;
}
{
return do_print_ex(send_fp_chars, fp, flags, str);
}
+
+/* Utility function: convert any string type to UTF8, returns number of bytes
+ * in output string or a negative error code
+ */
+
+int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in)
+{
+ ASN1_STRING stmp, *str = &stmp;
+ int mbflag, type, ret;
+ if(!*out || !in) return -1;
+ type = in->type;
+ if((type < 0) || (type > 30)) return -1;
+ mbflag = tag2nbyte[type];
+ if(mbflag == -1) return -1;
+ mbflag |= MBSTRING_FLAG;
+ stmp.data = NULL;
+ ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING);
+ if(ret < 0) return ret;
+ if(out) *out = stmp.data;
+ return stmp.length;
+}
int ASN1_STRING_print_ex_fp(FILE *fp, ASN1_STRING *str, unsigned long flags);
#endif
+int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in);
+
#ifndef NO_BIO
char *ASN1_d2i_bio(char *(*xnew)(),char *(*d2i)(),BIO *bp,unsigned char **x);
int ASN1_i2d_bio(int (*i2d)(),BIO *out,unsigned char *x);
return NULL;
}
+ if(!X509_check_private_key(cert, pkey)) return NULL;
+
if(!(bags = sk_PKCS12_SAFEBAG_new (NULL))) {
PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
return NULL;
"newcert.pem" except in the case of the B<-xsign> option when it is written
to standard output.
+
+=item B<-signCA>
+
+this option is the same as the B<-signreq> option except it uses the configuration
+file section B<v3_ca> and so makes the signed request a valid CA certificate. This
+is useful when creating intermediate CA from a root CA.
+
=item B<-signcert>
this option is the same as B<-sign> except it expects a self signed certificate
openssl ca -in req.pem -out newcert.pem
+Sign a certificate request, using CA extensions:
+
+ openssl ca -in req.pem -extensions v3_ca -out newcert.pem
+
Generate a CRL
openssl ca -gencrl -out crl.pem
=item B<esc_ctrl>
-escape and control characters. That is those with ASCII values less than
+escape control characters. That is those with ASCII values less than
0x20 (space) and the delete (0x7f) character. They are escaped using the
RFC2253 \XX notation (where XX are two hex digits representing the
character value).
=item B<dn_rev>
reverse the fields of the DN. This is required by RFC2253. As a side
-effect this also reveress the order of multiple AVAs but this is
+effect this also reverses the order of multiple AVAs but this is
permissible.
=item B<nofname>, B<sname>, B<lname>, B<oid>
Convert a certificate request into a self signed certificate using
extensions for a CA:
- openssl x509 -req -in careq.pem -config openssl.cnf -extensions v3_ca \
+ openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \
-signkey key.pem -out cacert.pem
Sign a certificate request using the CA certificate above and add user
certificate extensions:
- openssl x509 -req -in req.pem -config openssl.cnf -extensions v3_usr \
+ openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \
-CA cacert.pem -CAkey key.pem -CAcreateserial
projects / openssl / commitdiff