我设法创建了一个自签名证书,但现在我希望能够使用此自签名证书颁发其他证书。如何在 C 中使用 openssl 库来做到这一点?
【问题讨论】:
openssl 命令吗?
标签: c openssl certificate x509
首先创建一个证书请求和一个私钥:
X509_REQ *req;
EVP_PKEY *pk;
RSA *rsa;
X509_NAME *name=NULL;
if ((pk=EVP_PKEY_new()) == NULL)
return false;
if ((req=X509_REQ_new()) == NULL)
return false;
rsa=RSA_generate_key(SSL_KEY_BITS,RSA_F4,NULL,NULL);
if (!EVP_PKEY_assign_RSA(pk,rsa))
return false;
rsa=NULL;
X509_REQ_set_pubkey(req,pk);
name=X509_REQ_get_subject_name(req);
X509_NAME_add_entry_by_txt(name,"C",MBSTRING_ASC, "AT", -1, -1, 0);
X509_NAME_add_entry_by_txt(name,"CN", MBSTRING_ASC, "CommonName", -1, -1, 0);
if (!X509_REQ_sign(req,pk,EVP_sha1()))
return false;
return true;
使用ca私钥对请求进行签名,参数:X509* cacert, EVP_PKEY* ca_key
#define SSL_KEY_DAYS 366*20
EVP_PKEY *pkey;
x509 *x=NULL; // temporary certificate
X509* ssl_cert=NULL;
X509_CINF *ci;
X509_STORE *ctx;
// Public Key Check
pkey=X509_REQ_get_pubkey(req);
if(pkey == NULL)
return false;
if (X509_REQ_verify(req,pkey) < 0)
return false;
EVP_PKEY_free(pkey);
ctx = X509_STORE_new();
X509_STORE_set_default_paths(ctx);
X509_set_version(x,2);
x=X509_new();
if (x == NULL)
return false;
ci=x->cert_info;
ASN1_INTEGER_set(X509_get_serialNumber(x),SSL_SERIAL);
if (!X509_set_issuer_name(x,req->req_info->subject))
return false;
if (!X509_set_subject_name(x,req->req_info->subject))
return false;
X509_gmtime_adj(X509_get_notBefore(x),0);
X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*SSL_KEY_DAYS);
pkey = X509_REQ_get_pubkey(req);
X509_set_pubkey(x,pkey);
EVP_PKEY *upkey;
X509_STORE_CTX xsc;
upkey = X509_get_pubkey(cacert);
EVP_PKEY_copy_parameters(upkey,pkey);
EVP_PKEY_free(upkey);
if(!X509_STORE_CTX_init(&xsc,ctx,x,NULL))
return false;
if (!X509_set_issuer_name(x,X509_get_subject_name(cacert)))
return false;
if(!X509_sign(x,ca_key,EVP_sha1()))
return false;
ssl_cert = X509_dup(x);
EVP_PKEY_free(pkey);
X509_STORE_CTX_cleanup(&xsc);
X509_STORE_free(ctx);
X509_free(x);
return true;
【讨论】: