[CLUE-Tech] signing CA private key with another CA?

[Jim Ockers]

Hi all,

I need some help.  We are using the openssl and ssleay x509
facility to operate a small internal certificate authority 
(CA), for issuing SSL certificates to web sites and software 
code signing.  We find this to be pretty handy since we can
generally load our certificate authority's public key into
browsers and software that we control.

And we don't have to pay Verisign anything for this, which
is good.

I need to migrate an old ssleay based CA to openssl on a new
system.  For various boring technical reasons I don't want
to just copy the private key of the old CA to the new system -
I want to make a new CA but which inherits the privileges of
the old CA, but which starts out with new serial numbers and
a new CRL etc.

I remember from my days of using PGP that I could sign someone
else's PGP private key with my private key, then anything they
send me signed with their private key would be verified by my
PGP software since I'd signed their private key previously.

I want to do this with our certificate authority: I want to
sign the new CA's private key with the old CA's private key,
so that certificates issued (keys signed) by the new CA will
be verified by the old CA's public key, and the web browsers
won't display a warning etc. etc. etc. because they have the
old CA's public key already loaded.

I think it is technically possible to do this because I 
can get an unlimited certificate from Verisign (for the
"right" amount of money), in which they would sign my CA
private key with their CA private key and then I could go
on and issue certificates that would be properly validated
through the chain.

Does anyone know how to sign a CA private key using openssl
or ssleay?  Neither of these appears to have any signing
functionality other than signing "certificate requests" (public
keys from web servers etc) or signing random data.  I 
specifically can't find anything in there about signing a
private key.

My private key looks like this:

-----BEGIN RSA PRIVATE KEY-----
WhAtEvEr
-----END RSA PRIVATE KEY-----

All I get is error messages from ssleay & openssl when I try
to sign that.  Since it's not plain data I don't want to just
use rsautl -sign to sign it.  Plus ssleay doesn't have a
rsautl function anyway.  If it makes any difference we are
migrating away from "SSLeay 0.6.6 14-Jan-1997" .  The "rsa"
function doesn't have a "sign" option of course.

Any ideas?  I'd sure appreciate it.

Thanks,
Jim

-- 
Jim Ockers, P.Eng. (ockers at ockers.net)
Contact info: please see http://www.ockers.net/