Skip to content

Latest commit

 

History

History
47 lines (32 loc) · 1.52 KB

README.md

File metadata and controls

47 lines (32 loc) · 1.52 KB

CA signing using OpenSSL C API

This example code demonstrates how to use the OpenSSL C API to perform the actions by a CA. In short, it does the following:

How it works:

  • We generate a self-signed CA
  • We generate a Intermediate CA and sign it with the First CA
  • We generate a server cert and sign it with the intermediate.

During each step we:

  • Generate a private RSA key.
  • Generate a certificate request.
  • Sign this certificate request using the CA certificate or ourselves.

All certs are saved to file, and are named accordingly.

How-to

  1. Run make which will compile the application.
  2. Run ./conductor which will generate a certificate an intermediate and a Root CA
  3. Run ./conductor server hostname.domain.tld will generate a server cert.
  4. Run ./condictor user [email protected] will generate a user cert.
  5. Run ./conductor server hostname.domain.tld -d sub.domain.tld -i ipaddress will add SAN items

Manually verifying that a certificate is signed by a CA

For reference only; if you want to check that the generated certificate is indeed signed by the CA. You must first place the certificate output of ./cert into cert.crt.

$ openssl verify -CAfile ca.pem cert.crt
cert.crt: OK

If an error occurs, expect some other output such as self signed certificate etc.

Manually signing the certificate with the CA key

For reference only; this is what we'll do with C code instead.

$ openssl x509 -req -days 365 -in vnf.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out vnf.crt