[CLUE-Tech] signing CA private key with another CA?

Thu Aug 28 09:38:38 MDT 2003

I don't think it can be done ...

openssl req -new -key /root/ssl/private.key -out /root/ssl/private.key

results in a CSR (certificate signing request). I believe this allows
one to have their key signed by another to create a chained authority on
the certificate. I don't think one can sign a private key without a CSR
however, I'm definitely not an expert in this area. The following script
is what I use to generate a CA & public key cert.

1) openssl genrsa -out /root/ssl/ca.key 1024
2) openssl req -new -key /root/ssl/ca.key -out /root/ssl/ca.csr
3) openssl x509 -req -days 730 -in /root/ssl/ca.csr -signkey
/root/ssl/ca.key -out /root/ssl/ca.crt

1) Generates a private key w/ 1024 bit modulus
2) Requests a CSR from the private key
3) Requests a X.509 certificate valid for 730 day from the CSR and
signed by the private key.

If you find a way ... let us know.

>>> ockers at ockers.net 8/27/2003 11:39:50 AM >>>
Hi all,

I need some help.  We are using the openssl and ssleay x509
facility to operate a small internal certificate authority 
(CA), for issuing SSL certificates to web sites and software 
code signing.  We find this to be pretty handy since we can
generally load our certificate authority's public key into
browsers and software that we control.

And we don't have to pay Verisign anything for this, which
is good.

I need to migrate an old ssleay based CA to openssl on a new
system.  For various boring technical reasons I don't want
to just copy the private key of the old CA to the new system -
I want to make a new CA but which inherits the privileges of
the old CA, but which starts out with new serial numbers and
a new CRL etc.

I remember from my days of using PGP that I could sign someone
else's PGP private key with my private key, then anything they
send me signed with their private key would be verified by my
PGP software since I'd signed their private key previously.

I want to do this with our certificate authority: I want to
sign the new CA's private key with the old CA's private key,
so that certificates issued (keys signed) by the new CA will
be verified by the old CA's public key, and the web browsers
won't display a warning etc. etc. etc. because they have the
old CA's public key already loaded.

I think it is technically possible to do this because I 
can get an unlimited certificate from Verisign (for the
"right" amount of money), in which they would sign my CA
private key with their CA private key and then I could go
on and issue certificates that would be properly validated
through the chain.

Does anyone know how to sign a CA private key using openssl
or ssleay?  Neither of these appears to have any signing
functionality other than signing "certificate requests" (public
keys from web servers etc) or signing random data.  I 
specifically can't find anything in there about signing a
private key.

My private key looks like this:

-----BEGIN RSA PRIVATE KEY-----
WhAtEvEr
-----END RSA PRIVATE KEY-----

All I get is error messages from ssleay & openssl when I try
to sign that.  Since it's not plain data I don't want to just
use rsautl -sign to sign it.  Plus ssleay doesn't have a
rsautl function anyway.  If it makes any difference we are
migrating away from "SSLeay 0.6.6 14-Jan-1997" .  The "rsa"
function doesn't have a "sign" option of course.

Any ideas?  I'd sure appreciate it.

Thanks,
Jim

-- 
Jim Ockers, P.Eng. (ockers at ockers.net)
Contact info: please see http://www.ockers.net/ 
_______________________________________________
CLUE-Tech mailing list
Post messages to: CLUE-Tech at clue.denver.co.us 
Unsubscribe or manage your options:
http://clue.denver.co.us/mailman/listinfo/clue-tech