使用 c++ openssl 库创建 x509 链

Question

I have clientCA.key and clientCA.crt - intermediate private key and certificate. Now, I generate endpoint private key and certificate request at command line:

openssl req -new -nodes -newkey rsa:2048 -keyout clientEP.key -out clientEP.csr \ -subj "/C=CA/ST=AAA/L=BBB/O=CCC/OU=DDD/CN=EEE/emailAddress=m@m"

Then make endpoint certificate with signing by intermediate CA certificate and key:

openssl x509 -req -CAkey clientCA.key -CA clientCA.crt -days 365 -in clientEP.csr -out clientEP.crt -set_serial 25 -extfile clientEP.cnf

It's easy to generate RSA key and request: RSA_generate_key_ex(keys, 2048,e, NULL); X509_REQ_new();

but how can I get request signed by clientCA.key and clientCA.crt and take clientEP.crt with C++ Openssl library? Maybe it's possible to generate Endpoint certificate from this files without request?

Answer 1

Openssl provides various functions and you can use them. It's better to search more or visit an openssl org. And read the description of each function carefully.

You can do like you did on linux(maybe),

1. Create a PrivateKey for an end-entity certificate.

     EVP_PKEY *pkey = EVP_PKEY_new(void);

See: https://www.openssl.org/docs/man1.1.0/man3/EVP_PKEY_new.html

2. Create a RSA and set it to the PrivateKey

    RSA *rsa = RSA_generate_key(1024, 3, 0, 0);
    EVP_PKEY_set1_RSA(pkey, RSA *key);

See also https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_set1_RSA.html

3. Create a X509

    X509 *cert = X509_new(void);

4. Set the pubkey(correstponded key to a privatekey made eariler)

    X509_set_pubkey(cert, pkey);

5. Do a sign to clientEP using a privatekey of cliendCA.

    X509_sign(cert, pkey, 0); // third param is a hashing option.

6. Set the specific profile of a cert.(I may miss some specific steps but you can do it)

You may get the information when you google it more. In addition, openssl provides a write api such as BIO_write or PEM_write_X509 and so on.

I hope it would be helpful.